Headline
CVE-2020-19301: There is an Arbitrary Code Execution Vulnerability · Issue #1 · tingyuu/vaeThink
A vulnerability in the vae_admin_rule database table of vaeThink v1.0.1 allows attackers to execute arbitrary code via a crafted payload in the condition parameter.
Vulnerability description:
There is a vulnerability which allows remote attackers to execute arbitrary code. The user can control the value of the field ‘condition’ of the database table 'vae_admin_rule’, which is used for the parameters of the code execution function in the administrator privilege check module.
Payload:
123);system("echo “.base64_decode(“Ijw/cGhwIHBocGluZm8oKTsi”).">yunsle.php”
POC:
Firstly, we put the payload into the place as follows:
Then we create a new role group, which has limited privileges:
And we create a user that belongs to this role group:
We login as 'test’, and it’s obvious that user ‘test’ has no privilege to access any page:
But the payload has been executed when the system checked the privileges: