Skip to content

A file upload vulnerability exists in the background #1

Closed as not planned
@ZackSecurity

Description

  1. Environment construction
    Built with PHPStudy2014 (Nginx+PHP5.3) and Ray CMS1.5.
    Download from http://www.gxcms.org/
    image
    Put the website source code into the website root directory, access the address installation:
    image
    image

  2. Vulnerability code audit
    The vulnerability appears in the background template management page:
    image
    Audit the page source /views/admin/tpl_add.html file, see the filename received by filename file content received by content, and then pass the data to the POST. s=Admin/Tpl/Update page processing:
    image
    Track them down? S = Admin/Tpl/Update page source/core/Lib/Action/Admin/TplAction class. PHP file, see the Update function to receive the filename and the content variables, only after receiving the two variables for judging whether it is empty, The file name and file contents are not detected with dangerous characters, and data is directly written to the file using the write_file function, which means that there is any file upload vulnerability.
    image

  3. Exploit the vulnerability
    Log in to the background of the target website through admin default password admin888 or password blasting or even phishing, click template management to enter the /template/default/Home directory, select any file and click edit:
    image
    Enter the editing page, enter the php test code in the file content form, start BurpSuite tool to capture the package, and click Submit:
    image
    BurpSuite after catching the package, change the filename suffix to php, and then click Put package:
    image
    Back to the background website template management, see the successful creation of my_hot_info.php file, visit the file page to see the successful execution of php test code:
    image
    image

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions