Headline
CVE-2021-36424: Code execution during installation · Issue #310 · slackero/phpwcms
An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation.
进入安装流程,在MySQL database settings处输入payload:root’;phpinfo();//
Enter the installation process, enter the payload in the MySQL database settings: root’;phpinfo();//
点击Continue。重新刷新页面,执行php代码
Click Continue. Re-refresh the page and execute the php code
在setup/inc/setup.func.inc.php 的write_conf_file中对外部输入参数进行了过滤并拼接
The external input parameters are filtered and spliced in the write_conf_file of setup/inc/setup.func.inc.php
过滤替换’为’,输入’将被替换为\’,前面的\将后面的\进行了转义导致其失效。
Filtering replaces ' with ', inputting ' will be replaced with \’, the front \ will escape the following \ to make it invalid.
最终结果
Final Results