RCE vulnerability in Cmswing v1.3.7 - Githubissues

arterli / CmsWing

一款基于Egg.js(为企业级框架和应用而生)、Sequelize和GraphQL，功能强大的（PC端,手机端和微信公众平台）电子商务平台及CMS建站系统

http://www.cmswing.com

Other

1.35k stars 450 forks source link

RCE vulnerability in Cmswing v1.3.7 #56

Open Jason1314Zhang opened 3 years ago

Jason1314Zhang commented 3 years ago

Find a RCE vulnerability in cmswing project version 1.3.7，Details can be found in the analysis below.

Local Test

1.Enter the background of the system, select update_channel module，then edit it.

2.Change log rule `[user|console.log(require('child_process').execSync('ipconfig').toString('utf-8'))]` or `[user|console.log(require('child_process').execSync('calc').toString('utf-8'))]`

3.Enter [System settings] - [Navigation settings], change a navigation .

4.Change anything, then save it. We can find that our code is executed

5. Get IP and open calc.