LightCMS1.3.5- Arbitrary File Reading & RCE Vulnerability

LightCMS1.3.5- Arbitrary File Reading & RCE Vulnerability

Environment Construction (Kali)

Personal environment configuration: php7.4.15 + mysql8.0.25
  1. First of all, make sure that composer is installed in the system, you can refer to the article I wrote before: article link
  2. Download file source code
cd /var/www/html
git clone
cd lightCMS
composer install
  1. Set directory permissions: storage/ and bootstrap/cache/ directories require write permissions.
sudo chmod 777 -R storage/ bootstrap/cache/
  1. Create a new environment configuration, and configure the database and other related configurations
cp .env.example .env

CREATE USER 'homestead'@'localhost' IDENTIFIED BY 'secret';
GRANT ALL PRIVILEGES ON *.* TO 'homestead'@'localhost';
Initialize the system
php artisan migrate --seed

1、安装组件时如果无法生成vendor目录可以运行composer install --ignore-platform-reqs命令
step1:php -v
step2: Install php mysql extension
php 7.x sudo apt-get install php7.x-mysql
step3: service apache2 restart
step4: php artisan migrate
  1. Background access address: /admin/login
这里可能会遇到图形验证码无法显示,终端输入:apt-get install php7.x-gd
Insert picture description here

Vulnerability recurrence

Use point one

Use admin/admin to log in to the administrator
Visit http://ip/admin/neditor/serve/catchimage, POST file=file:///etc/passwd, then it will return
Insert picture description here
According to the return value, just visit the link address directly

Use point two

Directly transfer the php file RCE, construct a php script and place it under vps, access and read the file
Insert picture description here

Insert picture description here

Vulnerability analysis

This vulnerability lies in app/Http/Controllers/Admin/NEditorController.phpthe function of remotely downloading pictures in
Insert picture description here
Here is a simple use file_get_contentsto obtain and save the content of the file, so we can use the file protocol to implement arbitrary file reading and other ssrf operations. What is more dangerous is that the logic here is what the suffix of the file name is obtained and what suffix is ​​saved, so We can put a php sentence on the server, and then request the sentence file to achieve the purpose of getshell