wityCMS is a lightweight Content Management System (CMS) in PHP, Model-View-Controller oriented.An attacker might include local PHP files or read non-PHP files with this vulnerability.

/system/WCore/WHelper.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
public static function load($helper_name, array $params = array()) {
// Calculate normalized helper name
$helper_dir = HELPERS_DIR.$helper_name.DS;
// Check helper directory existency
if (!file_exists($helper_dir.'helper.json')) {
throw new Exception("Helper ".$helper_name." cannot be found in ".HELPERS_DIR);
}
// Check whether helper has already been included
if (!isset(self::$helpers_loaded[$helper_name])) {
// Load helper loading scheme
$helper = json_decode(file_get_contents($helper_dir.'helper.json'), true);
// Create a new line in the table
self::$helpers_loaded[$helper_name] = array(
'class' => $helper['class'],
'params_expected' => count($helper['params'])
);
// Include helper main file containing the class to instantiate
include_once HELPERS_DIR.$helper_name.DS.$helper['file'];

take the phpmailer module as an example:

$helper_dir = ‘/helpers/phpmailer/‘;

$helper = json_decode(file_get_contents(‘/helpers/phpmailer/helper.json’), true);

/helpers/phpmailer/helper.json:

1
2
3
4
5
{
"file": "class.phpmailer.php",
"class": "PHPMailer",
"params": []
}

HELPERS_DIR.\$helper_name.DS.\$helper[‘file’] = ‘/helpers/phpmailer/class.phpmailer.php’

As we can see,if we can upload the helper.json file to replace the original file,we will execute PHP code.

upload/rename/delete/move files via Roxy Fileman

remove /helpers/phpmailer/helper.json:

delete

upload test.txt:

By parsing the value /upload/../helpers/phpmailer/ to the d variable, uploaded successfully

upload_txt

upload helper.json:

upload_json

submit contact form via burp suite:

submit

burpsuite