NAME OF AFFECTED PRODUCT(S):zzcms AFFECTED AND/OR FIXED VERSION(S):zzcms2023 PROBLEM TYPE:File Upload; Impact:Arbitrary code execution; DESCRIPTION:ZZCMS 2023 has a file upload vulnerability in 3/E_bak5.1/upload/index.php, allowing attackers to exploit this vulnerability to gain server privileges and execute arbitrary code.

First, download the latest version of zzcms:

Login to the admin panel using the default username and password: admin admin.

Click on "Backup Data."

Choose one of the database tables for backup.

Capture the request using Burp Suite.

Modify the "tablename" field to "eval($_POST[1])."

Click on "View Backup Instructions."

Change the file name to "config.php" and modify the post parameter content to "1=phpinfo();"

Now, a one-liner PHP webshell is uploaded to the backend.

Vulnerability Code Analysis: The "phonebak.php" file takes $_POST as a parameter, meaning it's user-controllable.

The "tablename" parameter is passed to the $tablename variable.

Later, the tablename is formatted into a string in the form of $tb[".$tablename[$i]."]=0:

There is no single quote around "tablename," and no corresponding escaping or filtering operations are performed. This allows the $string to be written into a PHP file along with other content, ultimately leading to Remote Code Execution (RCE).

Mitigation Measures:

Disable the backup module. Implement character filtering and relevant escaping operations on the $tablename variable.