mirror of
https://github.com/0xMarcio/cve.git
synced 2025-11-30 18:56:19 +00:00
1.3 KiB
1.3 KiB
CVE-2019-12170
Description
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
POC
Reference
- http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html
- https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File
Github
- https://github.com/0xT11/CVE-POC
- https://github.com/ARPSyndicate/cvemon
- https://github.com/anquanscan/sec-tools
- https://github.com/developer3000S/PoC-in-GitHub
- https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit
- https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File
- https://github.com/hectorgie/PoC-in-GitHub