CVE-2022-46101: AyaCMS v3.1.2 RCE vulnerability · Issue #6 · loadream/AyaCMS

Vulnerable path ：/aya/module/admin/ust_sql.inc.php
Vulnerability description: In the ust_sql.inc.php file, the $dir parameter is composed of year, month, day_hour, minute and second_random four characters. When we back up the database, the system will query all the data and save the data to /backup/$dir/path , and stored in 1.php file format, but in the process of data insertion, reading and writing, the data is not strictly filtered, only the special characters in the string used in the SQL statement are escaped through the mysql_escape_string function, so we can Randomly add malicious php codes such as in articles, messages and other functions, and finally write the malicious codes into the 1.php backup file by backing up the database. When we visit the 1.php file again , which can cause the command to be executed.

We can freely add malicious php codes in articles, messages and other functions

Finally, by backing up the database, write the malicious code into the 1.php backup file

Remember this folder name

Then we go to access the 1.php file in this folder，We can find that the malicious code executes

And we can write PHP Trojans to execute system commands and control servers。