A arbitrary file write vulnerability in RGCMS V1.06

Posted on | Post modified: | In | | Visitors:
Words count in article: 199 字 | Reading time ≈ 1 分钟
A arbitrary file write vulnerability in RGCMS V1.06

Vulnerability Information

description

The CMS background content management editor has a file write vulnerability.By using the “model manage” module in the background content management,we can directly create a webshell in the server,and getshell

parameter

1.Attack Vector:Network
2.Attack Complexity: Low
3.Privileges Required: High, need rights of admin
4.User Interaction: None
5.Confidentiality: High
6.Integrity: High
7.Availability: High

POC

1.This is the model manage page of RGCMS V1.06 in background content management

2.we can see there is a “创建” button,which we can create a file by clicking this button,try to create a file named “1.php”

3.we can see file create success

4.And then try to edit the content of the file “1.php”,capture the packet of edit request

5.change the path and title to “1.php”

6.we can see,the edit request success,we can edit the file content now,we change the file content to <?php @eval($_POST['pass'])?>

7.check if the webshell truly be created,as we can see file create success

8.check the webshell content

9.connect the webshell by antsowrd,and connect success

0%