CVE-2018-19422 PoC — Subrion CMS 安全漏洞

Source

https://github.com/Swammers8/SubrionCMS-4.2.1-File-upload-RCE-auth-

Associated Vulnerability

Title:Subrion CMS 安全漏洞 (CVE-2018-19422)
Description:Subrion CMS是Subrion团队开发的一套基于PHP的内容管理系统（CMS）。该系统可被集成到网站，并支持多种扩展插件等。 Subrion CMS 4.2.1版本中的/panel/uploads存在安全漏洞，该漏洞源于.htaccess文件没有禁止对pht和phar文件的执行操作。远程攻击者可借助.pht或.phar文件利用该漏洞执行任意的PHP代码。

Description

This is an edited version of the CVE-2018-19422 exploit to fix an small but annoying issue I had.

Readme

# SubrionCMS-4.2.1-File-upload-RCE-auth-
This is an edited version of the CVE-2018-19422 exploit to fix an small but annoying issue I had.

I had to use this exploit in a CTF but I could not get it to properly exploit, just kept failing to login. After an unholy amount of time I finally figured out why. It was an issue with the url argument. When I specified a url, the program automatically assumed that I would end it with a / which I didn’t do.
What I was doing:
http://example.com
What I was suppose to do:
http://example.com/

What annoyed me even further was that even in the help menu the example is:
http://target-url/panel
Doesn’t end in a backslash but the program won’t work if you specify the url like this.
So I made a quick edit that checks the last character of the url arg to make sure that it ends with a slash.

File Snapshot


 [4.0K]  /data/pocs/821dc0bde9626f9f3120efed8d7cf8af92375308
├── [5.9K]  exploit.py
└── [ 837]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!