Code Injection in flatcore/flatcore-cms

Valid

Reported on

Oct 11th 2021


Description

Bypass of remote code execution in https://github.com/flatCore/flatCore-CMS/issues/59

The following payload uses . for concatenation and ` to execute system commands.

Proof of Concept

  1. Insert the following as Permalink value
lol".`whoami>pwned.txt`."
  1. Go to http://10.0.2.15/flatCore-CMS/content/cache/cache_lastedit.php to execute the payload, check the filesystem to see pwned.txt.

Impact

This vulnerability is capable of blind remote command execution as admin user.

haxatron modified their report
2 months ago
haxatron
2 months ago

Researcher


http://10.0.2.15/flatCore-CMS/content/cache/active_urls.php also works. Additionally, all other vulnerabilities reported works in develop branch

Patrick validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick confirmed that a fix has been merged on a2688a 2 months ago
Patrick has been awarded the fix bounty
functions.php#L388-L399 has been validated
hi-unc1e
2 months ago

Can we use ${} to execute command? e.g.

lol".${reboot}."
hi-unc1e
2 months ago

sorry, i misunderstood the use, but i DO think that $ should be escaped as well

haxatron
2 months ago

Researcher


agreed ^

$ can be used to inject existing PHP variables which may lead to a bypass