| عنوان | matthewdeaves Willow CMS v1.4.0 Remote Code Execution |
|---|
| الوصف | The "Add Image" function suffers from an Insecure File Upload vulnerability, allowing an authenticated attacker to upload arbitrary executable files, leading to Remote Code Execution (RCE). The system's file type verification mechanism is insufficient and can be bypassed by manipulating the file's header.
Proof of Concept (PoC)
1 - The attacker requires Administrative Privileges to access the vulnerable endpoint: http://target.com/admin/images/add.
2 - A malicious PHP webshell payload is created.
3 - To evade the file type check, the attacker "crafts" the PHP file by prepending the JPEG Magic Numbers (FF D8 FF E0 or similar, such as FF D8 FF EE) to the start of the PHP code. This simulates a valid JPEG file header.
4 - The disguised payload is uploaded via the "Add Image" function.
5 - The server accepts the file as a seemingly valid image and stores it on the host.
6- By accessing the direct URL of the uploaded file, the PHP script is executed by the web server, granting the attacker a webshell and Direct RCE on the host.
Video: https://www.youtube.com/watch?v=zacD0QLUYs8 |
|---|
| المصدر | ⚠️ https://github.com/matthewdeaves/willow/issues/132 |
|---|
| المستخدم | RiccK (UID 91602) |
|---|
| ارسال | 14/10/2025 02:07 AM (8 أشهر منذ) |
|---|
| الاعتدال | 27/10/2025 01:13 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 330116 [Willow CMS حتى 1.4.0 /admin/images/add تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|