NAME OF AFFECTED PRODUCT(S):zzcms AFFECTED AND/OR FIXED VERSION(S):zzcms2023 PROBLEM TYPE:File Upload; Impact:Arbitrary code execution; DESCRIPTION:ZZCMS 2023 has a file upload vulnerability in 3/E_bak5.1/upload/index.php, allowing attackers to exploit this vulnerability to gain server privileges and execute arbitrary code.
First, download the latest version of zzcms:
Login to the admin panel using the default username and password: admin admin.
Choose one of the database tables for backup.
Capture the request using Burp Suite.
Modify the "tablename" field to "eval($_POST[1])."
Click on "View Backup Instructions."
Change the file name to "config.php" and modify the post parameter content to "1=phpinfo();"
Now, a one-liner PHP webshell is uploaded to the backend.
Vulnerability Code Analysis:
The "phonebak.php" file takes $_POST as a parameter, meaning it's user-controllable.
The "tablename" parameter is passed to the $tablename variable.
Later, the tablename is formatted into a string in the form of $tb[".$tablename[$i]."]=0:
There is no single quote around "tablename," and no corresponding escaping or filtering operations are performed. This allows the $string to be written into a PHP file along with other content, ultimately leading to Remote Code Execution (RCE).
Mitigation Measures:
Disable the backup module. Implement character filtering and relevant escaping operations on the $tablename variable.