JIZHICMS V2.5 has background Arbitrary File Downloads causing RCE

[Hehanzzz]

Vulnerability recurrence：

1. Construct a PHP sentence and then compress it in zip format through the compressed package

2. Upload the zip to the VPS server and use python on the VPS to start an http service

3. Log in to the website backend, find Extension Management -> Plug-in List, and search for an uninstalled plug-in to download in the operations on the right side of the page (and capture packets through Burp at the same time)

4. Copy the URL of the compressed package file on the VPS, replace the download_url parameter with the zip link address on your VPS, and release the packet (but do not turn off interception, because there are still several packet URLs that need to be replaced)

Such as：

5. Then repeat this operation to replace all the urls originally specified to down.jizhicms.cn

You can see that this request was returned on the VPS

6. Then visit the vulnerable website, the directory is /app/admin/exts/ plus the file name of the PHP one-sentence Trojan constructed in the first step

Vulnerability analysis:
In the update method in the file located at app/admin/c/PluginsController.php, $remote_url does not perform a security check on the url, which allows any zip file to be downloaded remotely and decompressed as can be seen in the code behind.

According to the code on line 719, we can know that the downloaded and decompressed file is stored under app/admin/exts

[Hehanzzz]

This vulnerability was reported by Hehanzzz

[chenjingruhai]

6