| タイトル | matthewdeaves Willow CMS v1.4.0 Remote Code Execution |
|---|
| 説明 | The "Add Image" function suffers from an Insecure File Upload vulnerability, allowing an authenticated attacker to upload arbitrary executable files, leading to Remote Code Execution (RCE). The system's file type verification mechanism is insufficient and can be bypassed by manipulating the file's header.
Proof of Concept (PoC)
1 - The attacker requires Administrative Privileges to access the vulnerable endpoint: http://target.com/admin/images/add.
2 - A malicious PHP webshell payload is created.
3 - To evade the file type check, the attacker "crafts" the PHP file by prepending the JPEG Magic Numbers (FF D8 FF E0 or similar, such as FF D8 FF EE) to the start of the PHP code. This simulates a valid JPEG file header.
4 - The disguised payload is uploaded via the "Add Image" function.
5 - The server accepts the file as a seemingly valid image and stores it on the host.
6- By accessing the direct URL of the uploaded file, the PHP script is executed by the web server, granting the attacker a webshell and Direct RCE on the host.
Video: https://www.youtube.com/watch?v=zacD0QLUYs8 |
|---|
| ソース | ⚠️ https://github.com/matthewdeaves/willow/issues/132 |
|---|
| ユーザー | RiccK (UID 91602) |
|---|
| 送信 | 2025年10月14日 02:07 (8 月 ago) |
|---|
| モデレーション | 2025年10月27日 13:13 (14 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 330116 [Willow CMS 迄 1.4.0 /admin/images/add 特権昇格] |
|---|
| ポイント | 20 |
|---|