Vulnerable path /install.php
Lines 60-69 of the "install.php" catch the error but do nothing,so bypass the line 65's "exit".
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.
We can simulate this situation by breakpoint debugging.Set the breakpoint on the line 60,then cut off the connection with the database.(such as phpstorm + phpstudy and so on)
Lines 74-87 of the "install.php",we can fake the reffer bypass the second "exit".we can set the reffer "http://localhost/".
Line 291 of the "install.php" has a function "unserialize",it can be exploited maliciously.
The parameters come from line 83 of the "/var/Typecho/Cookie.php".
Line 420 of the "install.php" triggeres function "__toString".
Line 223 of the "/var/Typecho/Feed.php" has function "__toString"
Line 290 of the "/var/Typecho/Feed.php" triggeres function "__get".
Line 270 of the "/var/Typecho/Request.php" has function "__get"
We can exploit function "call_user_func" to Remote Code Execute.
Vulnerability exploitation process:
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.Of course,we can send network packets repeatedly to wait for it.
The "ok" will be sent if it is success because of the POC.Then test the webshell.
List of Vulnerable path
Vulnerable path /install.php











Lines 60-69 of the "install.php" catch the error but do nothing,so bypass the line 65's "exit".
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.
We can simulate this situation by breakpoint debugging.Set the breakpoint on the line 60,then cut off the connection with the database.(such as phpstorm + phpstudy and so on)
Lines 74-87 of the "install.php",we can fake the reffer bypass the second "exit".we can set the reffer "http://localhost/".
Line 291 of the "install.php" has a function "unserialize",it can be exploited maliciously.
The parameters come from line 83 of the "/var/Typecho/Cookie.php".
Line 420 of the "install.php" triggeres function "__toString".
Line 223 of the "/var/Typecho/Feed.php" has function "__toString"
Line 290 of the "/var/Typecho/Feed.php" triggeres function "__get".
Line 270 of the "/var/Typecho/Request.php" has function "__get"
We can exploit function "call_user_func" to Remote Code Execute.
Vulnerability exploitation process:
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.Of course,we can send network packets repeatedly to wait for it.


The "ok" will be sent if it is success because of the POC.Then test the webshell.
POC code:
The text was updated successfully, but these errors were encountered: