This article first appeared to the Prophet:
0x01 Vulnerability Description
Pluck is a small CMS is written in php
affected version: Pluck CMS Pluck CMS 4.7.10 (Updated August 2019)
official website address: http://www.pluck-cms.org/?file=home
0x02 Vulnerability Analysis
The latest version is 4.7.10, but the problem in the 4.7.1 version existed, even after an updated version of author, editor at the paper filter parameters more strict, but eventually also be getshell, and found that after more than version 4.7.10 update, are still left with the same problem of critical process parameters. The following first introduce the 4.7.1 version of the problem facing the 4.7.10 version quickly understand the ease.
v4.7.1 analysis
Entry point admin.php
admin.php:
After entering the backstage action = editpage, now contains forward data/inc/editpage.phpcan edit articles, follow up
In the editpage.php35 line you can see the title and content and other parameters at this time of post delivered directly call save_page function, being present in this vulnerability, follow save_page function
In functions.admin.phpthe row 588, which is located save_page function, incoming title and content other controllable parameters directly into the splicing php code, here we sanitize single quotes filter function to prevent escape of secondary bypass, but later still can bypass
In functions.admin.phpthe 612 line, this time for the title and content content written directly by calling save_file function, here we do not care to write the file name, because after written will automatically be included
In the functions.all.php178 line, this time if the content is not the array is written directly to the target file
In the previous analysis we can see the title, content, three hidden parameters are written to the file, but the current title and content are filtered, but the hidden parameter is not filtered, so in this case can be directly closed $ data variable splicing single quotes, thereby writing shell
In this case load will automatically jump to index.php shell we write the following results
But if you want to write shell parameters by title and content are possible, only you need to construct title or content as 1\';phpinfo();/*you can
Write shell can also be further
v4.7.10 analysis
This version is also a problem in the article editor at the data\inc\functions.admin.php539 line at the controllable parameters and POST php code stitching
At this point a simple injection or implantation single backslash + quotation marks will not write shell
But as the most mentioned at the beginning, this latest version and version 4.7.1 of the key parameters hidden parameters were not filtered, that is, to write to the same file through shell hidden parameter
The file is written as follows, the same RCE may be further performed, in the same manner and mode v4.7.1
