Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2019-6713

Description

app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call.

POC

Reference

No PoCs from references.

Github

- https://github.com/17734027950/thinkcmf

- https://github.com/2499659968/mychen

- https://github.com/365807072/gdr

- https://github.com/405149071/thinkcmf5.1

- https://github.com/670600971/thinkcmf

- https://github.com/CrowdYellow/thinkcmf

- https://github.com/JeasonLaung/mmp

- https://github.com/Pein-mo/cuishou

- https://github.com/Pengchu/system

- https://github.com/RuanShan/ruanshan_psite

- https://github.com/SummerMMC/gxzbxh

- https://github.com/binggejiao/thinkcmf

- https://github.com/bo-ouyang/mall

- https://github.com/bomzhi/thinkcmf

- https://github.com/cp930725/exchange

- https://github.com/cp930725/jiaoyisuo

- https://github.com/cspangge/admin

- https://github.com/degle123/cmf

- https://github.com/eeeeelf/backcode

- https://github.com/elon-funs/mesSystem

- https://github.com/elon-funs/trace

- https://github.com/felixyin/beer_3dview

- https://github.com/frozenfirefox/learn

- https://github.com/gongweisong/haotian

- https://github.com/haodaxia/cmf

- https://github.com/haodaxia/thinkcmf

- https://github.com/jianzi0307/sendmail

- https://github.com/jilinskycloud/IOT_server_Web

- https://github.com/jlmolpklo/niu

- https://github.com/kimcastle/thinkcmf

- https://github.com/kongbai18/cmftest

- https://github.com/lenyueocy/thimkcmf

- https://github.com/liuqian1115/cpoeSystem

- https://github.com/loopoxs/web

- https://github.com/luandly/thinkcmf

- https://github.com/lym360722/TC

- https://github.com/new-asia/thinkcmf

- https://github.com/qq951169144/thinkcmf

- https://github.com/ring888/meikuang

- https://github.com/shushengqiutu/thinkcmfcloud

- https://github.com/shuyekafeiting/jw163

- https://github.com/smart817/abc

- https://github.com/suu1923/yccms

- https://github.com/tthxn/thinkcmf51

- https://github.com/ttzhanghuiyuan/leshare

- https://github.com/wangmode/site_system

- https://github.com/wilgx0/tp_im

- https://github.com/willzhao158/dangjian

- https://github.com/xialonghao/CMF

- https://github.com/xialonghao/draw

- https://github.com/xiaokongtongzhi/zhengcai

- https://github.com/xunexploit/huicheng.zexploit.com

- https://github.com/yaksun/whab

- https://github.com/yukinohatsune/UP2U_web

- https://github.com/zcatch/thinkcmf

- https://github.com/zhangxianhao418/fenrun

- https://github.com/zhaobingjie/thinkcmf

- https://github.com/zhnagpaigit/thinkcmf5.16

- https://github.com/zhuqianqq/thinkcmf

- https://github.com/zhuweiheng/chaowang

- https://github.com/zhuweiheng/tengma

- https://github.com/zhuweiheng/thinkcmf

- https://github.com/zy1720/gateway

- https://github.com/zylteam/crm

- https://github.com/zylteam/ml