Description
Brief of this vulnerability
72crm v9 has Arbitrary file upload vulnerability Where to upload the logo
Test Environment
- Windows10
- PHP 5.6.9+Apache/2.4.39
Affect version
72crm v9
Vulnerable Code
application\admin\controller\System.php line 51
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file
follow-up move function(set filename)
line 352:
follow up function
Generate time-based file names with php as a suffix
then move_uploaded_file with this filename (thinkphp\library\think\File.php line 369)
Vulnerability display
First enter the background
Click as shown,go to the Enterprise management background
click this
Just upload a picture and capture the package, modify the content as follows
Back to enterprise management background
access image address
php code executed successfully
Notice:Because it is uploaded at the logo, unauthorized users can also access this php code
