A arbitrary file upload vulnerability in RGCMS V1.06

Vulnerability Information

description

The CMS background content management editor has a file uploading vulnerability. By modifying the background file upload parameter: the “Allow upload file suffix” section, you can bypass the restrictions on php file upload by cms, and then pass the Trojan horse and the getshell

parameter

1.Attack Vector:Network
2.Attack Complexity: Low
3.Privileges Required: High, need rights of admin
4.User Interaction: None
5.Confidentiality: High
6.Integrity: High
7.Availability: High

POC

1.This is the upload config page of RGCMS V1.06 in background content management,which we can see the “Allow upload file suffix” section

2.add “php” in “Allow upload file suffix” section

3.And then,goto “内容”-“信息管理”-“栏目内容”-“新闻资讯”,and try to edit the content

4.Click file upload button,and choose a webshell file,which change the suffix to “.txt” to bypass the detect of the editor

5.capture the packet of upload request,and change the suffix to “.php”,as we can see in the follow jpg,the webshell is upload success

6.check the webshell in my computer dir,yes,it is ture success

7.use “AntSword” to connect the webshell

8.connect success,this vulnerabilitie was identified

0%