提出 #280599: TemmokuMVC TemmokuMVC <=2.3 Arbitrary File Creation情報

タイトルTemmokuMVC TemmokuMVC <=2.3 Arbitrary File Creation
説明The TemmokuMVC system, version 2.3 and below, has an Arbitrary File Creation vulnerability in the images_get_down.php file. This vulnerability arises from the system parsing and downloading all image tags in an article to local storage, including URLs with a PHP suffix. An attacker can exploit this by starting a server that responds with PHP code disguised as an image, which gets saved on the server. The attacker can then brute force the filename to execute the arbitrary PHP code, leading to Remote Code Execution (RCE).
ソース⚠️ https://note.zhaoj.in/share/OrBH8zLKUPOA
ユーザー
 glzjin (UID 59815)
送信2024年02月11日 16:15 (2 年 ago)
モデレーション2024年02月22日 15:35 (11 days later)
ステータス承諾済み
VulDBエントリ254532 [TemmokuMVC 迄 2.3 Image Download lib/images_get_down.php get_img_url/img_replace 特権昇格]
ポイント20

Interested in the pricing of exploits?

See the underground prices here!