There is a "Unsafe Unzip" vulnerability that can get webshell #13

fupinglee · 2018-06-27T10:03:08Z

ver: V4.0.20180210
using a specially crafted zip archive, that holds path traversal filenames.when you used unzip method you will get a shell

a zip looks like this:

the path you will get from there:

(so,your website true path is 'C:\tomcat\apache-tomcat-7.0.81\apache-tomcat-7.0.81\webapps\publiccms')

upload and unzip

'cmd.jsp' will write into your server

Execute the command

shell.zip

unh3x · 2018-06-28T01:07:15Z

So it's a shell upload in background, requires administrator authorization?

fupinglee · 2018-06-28T01:24:39Z

@unh3x
need open upload and unzip

bugfix

Unsafe Unzip bug fix

sanluan · 2018-06-28T02:36:39Z

After fixing the bug，a zip file like this:

Upload and decompress or decompress here

The files will be put here when they are decompress

The files will be put here when they are decompress here

sanluan added a commit that referenced this issue Jun 28, 2018

https://github.com/sanluan/PublicCMS/issues/13

6f177df

bugfix

sanluan added a commit that referenced this issue Jun 28, 2018

https://github.com/sanluan/PublicCMS/issues/13

f5e6eae

Unsafe Unzip bug fix

sanluan added a commit that referenced this issue Jun 28, 2018

#13 Unsafe Unzip bug fix

c19fe66

sanluan closed this as completed Jun 29, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

There is a "Unsafe Unzip" vulnerability that can get webshell #13

There is a "Unsafe Unzip" vulnerability that can get webshell #13

fupinglee commented Jun 27, 2018

unh3x commented Jun 28, 2018

fupinglee commented Jun 28, 2018

sanluan commented Jun 28, 2018

There is a "Unsafe Unzip" vulnerability that can get webshell #13

There is a "Unsafe Unzip" vulnerability that can get webshell #13

Comments

fupinglee commented Jun 27, 2018

unh3x commented Jun 28, 2018

fupinglee commented Jun 28, 2018

sanluan commented Jun 28, 2018