Headline
CVE-2020-21784: Code Injection Vulnerability can Getshell · Issue #286 · slackero/phpwcms
phpwcms 1.9.13 is vulnerable to Code Injection via /phpwcms/setup/setup.php.
Test version
VERSION 1.9.13, RELEASE 2020/01/10
Code audit****setup.php code
Open the secure boot file setup.php,the file path is /phpwcms/setup/setup.php.Then it
include /phpwcms/setup/inc/setup.check.inc.php in line 24.
setup.check.inc.php code
open file /phpwcms/setup/inc/setup.check.inc.php and you can see line 35.
setup.func.inc.php code
tarck the function write_conf_file() in /phpwcms/setup/inc/setup.func.inc.php in line 119.
and in line 293,it will call function write_textfile() to write the config file in line 35.
Testing getshell
in this interface,you can input some infomation like this.
payload
After completing it, click Submit.It will show some error information,but you can access like this address and you can see it run the injection code.
Solution
Filtering some sensitive characters.