Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

UCMS v1.5.0 Arbitrary file upload vulnerability get shell

  • Vulnerability Type :
    V 1.5.0
  • Recurring environment:
    Windows 10
    PHP 5.4.45
    Apache 2.4.39
  • Vulnerability Description AND recurrence:
    The upload bug is very easy
    The vulnerability is in the \ucms_1.5\ucms\sadmin\file.php file, where there is no suffix to verify the uploaded file. Direct move_uploaded_file function has been uploaded.
    image
    Upload files
    image
    image
    We can use Cknife get Webshell
    image
    We can also execute system commands
    image