Headline
CVE-2020-36037: wuzhicms v4.1.0 has a write webshell vulnerability · Issue #192 · wuzhicms/wuzhicms
An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code via the setting parameter to the ueditor in index.php.
The location where the vulnerability was triggered:
/coreframe/app/attachment/admin/index.php
Locate the function "ueditor", when the parameter “submit” exists, the value of “setting” will be passed to the function “set_cache” for execution.
When the parameter “submit” does not exist, the content of the cache file will be executed directly;
The “set_cache” function does not filter the variable “data” (the parameter “setting” passed in) and saves it directly in the cache file:
The saved cache file path is: /caches/cache/ ueditor.dt72K.php
So we can construct the following poc:
http://192.168.114.150/index.php?m=attachment&f=index&v=ueditor&_su=wuzhicms&submit=1&setting=<?php echo phpinfo();?>
Vulnerability recurrence
First:log in system
Second:Execute poc:
You can see that the shell file is successfully written:
Third:Visit:
http://192.168.114.150/index.php?m=attachment&f=index&v=ueditor&_su=wuzhicms
You can see the successful execution of the shell script:
Repair method
Strictly filter the parameter setting;