CVE-2019-10647 PoC — ZZZCMS zzzphp 代码注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2019-10647.yaml

Associated Vulnerability

Title:ZZZCMS zzzphp 代码注入漏洞 (CVE-2019-10647)
Description:ZZZCMS zzzphp是一套内容管理系统（CMS）。 ZZZCMS zzzphp v1.6.3版本中存在代码注入漏洞，该漏洞源于外部输入数据构造代码段的过程中，网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞生成非法的代码段，修改网络系统或组件的预期的执行控制流。

Description

ZZZCMS zzzphp v1.6.3 contains a remote code execution caused by lack of restrictions in inc/zzz_file.php, letting attackers execute arbitrary PHP code via a crafted URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter, exploit requires attacker to send malicious URL and server to serve PHP code as plain text.

File Snapshot


 id: CVE-2019-10647

info:
  name: ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
  author: So

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!