mirror of
https://github.com/gobysec/GobyVuls.git
synced 2025-12-30 13:57:52 +00:00
Klog Server Unauth RCE(CVE-2020-35729)
The 'authenticate.php' file uses the 'user' HTTP POST parameter in a call to the 'shell_exec()' PHP function without appropriate input validation,allowing arbitrary command execution as the apache user.
Affected Version: ≤2.4.1
FOFA query rule: title="KLog Server" && body="authenticate.php"
Demo
