As I talked about in the Part 1, [BugHunt] Authenticated RCE found in HorizontCMS — Part 1 (Malicious Plugins), blog, we found a way to bypass the patched PHP filetype restrictions to upload a .php
file. However, the executing the uploaded PHP file was not accomplished.
So, we wanted to go with different route of choosing files to upload and gain PHP code execution on the application.
As mentioned in the Part 1, the original file upload vulnerability ( CVE-2020–27387) was remediated by restricting the PHP extensions; however, we discovered that the filter could be bypassed via uploading an arbitrary .htaccess
and *.hello
files in order to execute PHP code to gain RCE.
http://<HorizontCMS IP>/admin/login
)#php #rce #bug-hunting #bug-bounty