Headline
CVE-2021-25857: Admin setup option getshell · Issue #2 · pcmt/superMicro-CMS
An issue was discovered in pcmt superMicro-CMS version 3.11, allows authenticated attackers to execute arbitrary code via the font_type parameter to setup.php.
Vulnerability conditions: log in to the management background
Vulnerability file:superMicro-CMS-main\admin\setup.php
`
// Write/overwrite settings file
$settings = '…/inc/settings.php’; //settings file
$settings_text = "<?php //settings_text,Many parameters are user-controllable
if(!defined(‘ACCESS’)) {
die(‘Direct access not permitted to settings.php.’);
}
define('LOCATION’, ‘{$site_location}’);
define('ADMIN’, ‘{$admin}’);
define('APACHE’, {$apache});
define('WINDOWS’, {$windows});
define('OPSYS’, ‘{$opSystem}’);
define('HOME_LINK’, ‘{$home_link}’);
define('NAME’, ‘{$name}’);
define('ALPHABETICAL’, {$alphabetical});
define('SHOW_ERRORS’, {$show_errors});
define('TRACK_HITS’, {$track_hits});
define('PHP_EXT’, {$php_ext});
define('EMAIL’, ‘{$email}’);
define('SITE_NAME’, ‘{$site_name}’);
define('OWN_NAME’, ‘{$own_name}’);
define('CONTACT_TEXT’, ‘{$contact_text}’);
define('CONTACT_MENU’, ‘{$contact_menu}’);
define('FONT_TYPE’, ‘{$font_type}’); // This parameter is not filtered, I just start from here
define('LANG_ATTR’, ‘{$lang_attr}’); // This parameter also not filtered
define('VERSION’, ‘{$version}’);
?>";
$fp2 = @fopen($settings, ‘w+’); //open settings.php
fwrite($fp2, $settings_text); // save content to settings.php`
$font_type = $_POST[‘font_type’]; // This value is not visible on the page and can be submitted with burpsuite
Vulnerability POC:
- log in to the management background
- Click setup–>Submit setup
3. BurpSuite modify “font_type” value
4. Access this shell