Headline
CVE-2023-1970: tpAdmin-RCE-这里是一个普通学生的博客
** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, has been found in yuan1994 tpAdmin 1.3.12. This issue affects the function Upload of the file application\admin\controller\Upload.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-225407. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
RCE Vulnerability in tpAdmin
Project: https://github.com/yuan1994/tpAdmin
tpadmin is a management background based on the official version of ThinkPHP5.0 and Hui.admin v2.5.
So far, the project has 437 stars and 186 forks on github.
An arbitrary file upload vulnerability exists in tpadmin, allowing an attacker to take over server privileges.
Note:
If you want to deploy the system:
After downloading the project, use composer to download the required dependencies (it is recommended to modify composer.json first)
Just modify the following part:
"require": {
"php": ">=5.4.0",
"topthink/framework": "5.0.7",
"topthink/think-captcha": "1.0.7",
"qiniu/php-sdk": "7.1.3",
"phpoffice/phpexcel": "1.8.2",
"yuan1994/tp-mailer": "0.2.4"
Then execute composer update or composer install
If you still cannot access the page, refer to thinkphp’s official deployment manual:
https://www.kancloud.cn/manual/thinkphp5/129745
https://www.kancloud.cn/manual/thinkphp5/177576
Visit and log in to the background, for example: http://192.168.159.134/admin/pub/login.html
Username:admin
Password:123456
Vulnerable file: application\admin\controller\Upload.php
The file upload function in this controller does not set the file format filter, so that the webshell can be uploaded.
Click to upload webshell, and get the url path in the http return package
GETSHELL.