### [CVE-2019-6713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6713)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/17734027950/thinkcmf
- https://github.com/2499659968/mychen
- https://github.com/365807072/gdr
- https://github.com/405149071/thinkcmf5.1
- https://github.com/670600971/thinkcmf
- https://github.com/CrowdYellow/thinkcmf
- https://github.com/JeasonLaung/mmp
- https://github.com/Pein-mo/cuishou
- https://github.com/Pengchu/system
- https://github.com/RuanShan/ruanshan_psite
- https://github.com/SummerMMC/gxzbxh
- https://github.com/binggejiao/thinkcmf
- https://github.com/bo-ouyang/mall
- https://github.com/bomzhi/thinkcmf
- https://github.com/cp930725/exchange
- https://github.com/cp930725/jiaoyisuo
- https://github.com/cspangge/admin
- https://github.com/degle123/cmf
- https://github.com/elon-funs/mesSystem
- https://github.com/elon-funs/trace
- https://github.com/felixyin/beer_3dview
- https://github.com/frozenfirefox/learn
- https://github.com/gongweisong/haotian
- https://github.com/haodaxia/cmf
- https://github.com/haodaxia/thinkcmf
- https://github.com/jianzi0307/sendmail
- https://github.com/jilinskycloud/IOT_server_Web
- https://github.com/jlmolpklo/niu
- https://github.com/kimcastle/thinkcmf
- https://github.com/kongbai18/cmftest
- https://github.com/lenyueocy/thimkcmf
- https://github.com/liuqian1115/cpoeSystem
- https://github.com/loopoxs/web
- https://github.com/luandly/thinkcmf
- https://github.com/lym360722/TC
- https://github.com/new-asia/thinkcmf
- https://github.com/qq951169144/thinkcmf
- https://github.com/ring888/meikuang
- https://github.com/shushengqiutu/thinkcmfcloud
- https://github.com/shuyekafeiting/jw163
- https://github.com/smart817/abc
- https://github.com/suu1923/yccms
- https://github.com/tthxn/thinkcmf51
- https://github.com/ttzhanghuiyuan/leshare
- https://github.com/wangmode/site_system
- https://github.com/wilgx0/tp_im
- https://github.com/willzhao158/dangjian
- https://github.com/xialonghao/CMF
- https://github.com/xialonghao/draw
- https://github.com/xiaokongtongzhi/zhengcai
- https://github.com/xunexploit/huicheng.zexploit.com
- https://github.com/yaksun/whab
- https://github.com/yukinohatsune/UP2U_web
- https://github.com/zcatch/thinkcmf
- https://github.com/zhangxianhao418/fenrun
- https://github.com/zhaobingjie/thinkcmf
- https://github.com/zhnagpaigit/thinkcmf5.16
- https://github.com/zhuqianqq/thinkcmf
- https://github.com/zhuweiheng/chaowang
- https://github.com/zhuweiheng/tengma
- https://github.com/zhuweiheng/thinkcmf
- https://github.com/zy1720/gateway
- https://github.com/zylteam/crm
- https://github.com/zylteam/ml