| 제목 | matthewdeaves Willow CMS v1.4.0 Remote Code Execution |
|---|
| 설명 | The "Add Image" function suffers from an Insecure File Upload vulnerability, allowing an authenticated attacker to upload arbitrary executable files, leading to Remote Code Execution (RCE). The system's file type verification mechanism is insufficient and can be bypassed by manipulating the file's header.
Proof of Concept (PoC)
1 - The attacker requires Administrative Privileges to access the vulnerable endpoint: http://target.com/admin/images/add.
2 - A malicious PHP webshell payload is created.
3 - To evade the file type check, the attacker "crafts" the PHP file by prepending the JPEG Magic Numbers (FF D8 FF E0 or similar, such as FF D8 FF EE) to the start of the PHP code. This simulates a valid JPEG file header.
4 - The disguised payload is uploaded via the "Add Image" function.
5 - The server accepts the file as a seemingly valid image and stores it on the host.
6- By accessing the direct URL of the uploaded file, the PHP script is executed by the web server, granting the attacker a webshell and Direct RCE on the host.
Video: https://www.youtube.com/watch?v=zacD0QLUYs8 |
|---|
| 원천 | ⚠️ https://github.com/matthewdeaves/willow/issues/132 |
|---|
| 사용자 | RiccK (UID 91602) |
|---|
| 제출 | 2025. 10. 14. AM 02:07 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 27. PM 01:13 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 330116 [Willow CMS 까지 1.4.0 /admin/images/add 권한 상승] |
|---|
| 포인트들 | 20 |
|---|