| Title | PHPEMS PHPEMS 6/7 验证绕过 && RCE |
|---|
| Description | The encryption and decryption logic of PHPEMS Session uses a Key to encrypt and decrypt Session data. However, there are loopholes in the encryption and decryption algorithm. The key can be restored externally through calculation. By obtaining this key, you can forge data and send it to the server for deserialization. During deserialization, you can find the chain and perform SQL injection operations, thereby tampering with the database and forging an administrator session. After logging in, enable the topic module and edit the template to execute malicious code. |
|---|
| Source | ⚠️ https://note.zhaoj.in/share/jw4Hp9cq7T69 |
|---|
| User | glzjin (UID 59815) |
|---|
| Submission | 12/07/2023 19:15 (3 years ago) |
|---|
| Moderation | 12/09/2023 21:40 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 247357 [PHPEMS 6.x/7.x/8.x/9.0 Session Data lib/session.cls.php deserialization] |
|---|
| Points | 20 |
|---|