Abusing Backup/Restore feature to achieve Remote Code Execution in microweber/microweber
Mar 9th 2022
Admin can use
Backup modules to upload a malicious PHP file, which can lead to RCE.
Proof of Concept
- Log in as admin, navigate to Modules -> Backup:
- Prepare a malicious PHP file, in this case
- Compress this file to
info2php.zip, then click
Upload your backup.
- After successfully uploaded, click to Restore, choose Try to overwrite content by Names & Titles, then Start Restore
- The system returns Import format not supported
- However, the malicious file
info2.phpis unzipped and located in
/userfiles/, and that malicious PHP file can be accessible by anyone:
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.