CVE-2018-20718 PoC — Pydio 注入漏洞

Source

https://github.com/us3r777/CVE-2018-20718

Associated Vulnerability

Title:Pydio 注入漏洞 (CVE-2018-20718)
Description:Pydio（前称AjaXplorer）是一款基于Web的远程文件管理器。该管理器支持上传和下载文件、在线文件编辑、图片预览等。 Pydio 8.2.2之前版本中存在安全漏洞，该漏洞源于程序允许用户使用$phpserial$a:0:{}句法来存储偏好。攻击者可借助文件的公开链接利用该漏洞控制文件共享文件，执行代码。

Readme

# CVE-2018-20718
This is a POC for CVE-2018-20718. It is a PHP Object injection vulnerability. The vulnerability affect all version of Pydio before 8.2.1 and leads to Unauthenticated Remote Code Execution. It was originaly found by RIPS.

I found a gadget in Pydio\Core\Controller\ShutdownScheduler which allows remote code execution if combined with the already known GuzzleHttp\Psr7\FnStream gadget.

**Exemple of exploitation**

![image](https://user-images.githubusercontent.com/8191240/61220331-63620c80-a716-11e9-9656-932f51553541.png)
![image](https://user-images.githubusercontent.com/8191240/61220336-65c46680-a716-11e9-9180-9fa5225e3da2.png)

**Technical details**

https://blog.ripstech.com/2018/pydio-unauthenticated-remote-code-execution/

File Snapshot


 [4.0K]  /data/pocs/4c79ed94c819a8695a7d67075e2ba14eba800ec2
├── [ 852]  CVE_2018_20718.py
└── [ 752]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!