In PESCMS Team 2.2.1, attackers may upload and execute arbitrary PHP code through /Public/?g=Team&m=Setting&a=upgrade by placing a .php file in a ZIP archive.More details see (https://github.com/lazyphp/PESCMS-TEAM/issues/2)

This page let user upgrade the PESCMS system manually.

Image text

Follow the mtUpgrade funtction,the upload file extension must be “zip”

Image text

and follow the unzip function

Image text

Follow the simulateInstall function and install function,we can see the file decompression in root directory

Image text

Image text

so,we can create a evil.php

Image text

and compression it as evil.zip,and upload the evil.zip,

Image text

at last ,the system decompress evil.zip and evil.php in root directory.

Image text