Headline
CVE-2021-33949: Command execution vulnerability in /wms/src/system/databak.php · Issue #10 · FeMiner/wms
An issue in FeMiner WMS v1.1 allows attackers to execute arbitrary code via the filename parameter and the exec function.
Vulnerability Type :
Command execution
Vulnerability Version :
1.1
Recurring environment:
Windows Server 2012
PHP 5.5.38
Apache 2.4
Mysql 5.6
Vulnerability Description AND recurrence:
During installation, use the db_wms_2013_12_31_15_48_34.sql file in the \system\ directory for installation
In the /system/databak.php file, the parameter filename was received through $_POST, and it was not filtered. The exec function was brought in, resulting in a command execution vulnerability.
There is no echo here, let’s test adding a system user here
payload: filename=1 || net user test /add