In andrzuk/FineCMS through 2017-07-06, application/core/model/style.php and application/core/model/script.php allows remote attackers to write to arbitrary files. An attacker can write a vulnerability through any file and tamper with a normal file to implement code execution. The problem code is located in 48~57 of the application/core/controller/style.php file. The user initiates a POST request to enter the statement, the record array records the user's filename field and the contents field. When the save_button field is passed in, the record array is passed to the save function. Track the save function with code in application/core/model/style.php. Note that line 38 of the code, Only to determine whether the file exists, then write the content. So we only need to find any php file in the system, change it to a malicious file.
For example, we want to modify the contents of【ajax/getstatus.php】 file for【<?php phpinfo();】, We can post【contents=<?php phpinfo();&filename=ajax/getstatus.php&savebutton=Zapisz】to【http://localhost/index.php?route=style】As shown in the figure below. After the request is submitted, the contents of the file 【ajax / getstatus.php】will be replaced by【<? Php phpinfo ();】
Then we visit 【localhost/ajax/get_status.php】. The principle of the script.php file is consistent with the style.php.