Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page
Vulnerability location:
data\inc\functions.admin.php 531-535 line
Saves the hidden parameter passed by the POST request to php, but does not escape the special character (') in the value, which can directly close the php syntax remote execution command, such as phpinfo(), eval(), etc.
Demo:
After the installation is successful, go to the management background.Create a new page, enter a title and content Select "Show webpage",submit the request and then grab the request packet to modify the value of the hidden parameter to "no"; phpinfo();'"
Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page
Vulnerability location: data\inc\functions.admin.php 531-535 line
Saves the hidden parameter passed by the POST request to php, but does not escape the special character (') in the value, which can directly close the php syntax remote execution command, such as phpinfo(), eval(), etc.
Demo: After the installation is successful, go to the management background.Create a new page, enter a title and content Select "Show webpage",submit the request and then grab the request packet to modify the value of the hidden parameter to "no"; phpinfo();'"
http://192.168.80.1/pluck-4.7.10-dev2/?file=aaaa
Write a sentence Trojan
Use chopper connection