Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A file upload vulnerability exists in the background #1

Open
Zack-Huang opened this issue Apr 25, 2022 · 1 comment
Open

A file upload vulnerability exists in the background #1

Zack-Huang opened this issue Apr 25, 2022 · 1 comment

Comments

@Zack-Huang
Copy link

1、Vulnerability code Audit
The vulnerability appears in the template management page in the background:
1
/views/admin/tpl_add. HTML file is received by filename, content is received by content, and then the data is sent to? S =Admin/Tpl/Update
2
Track? S = Admin/Tpl/Update page source/core/Lib/Action/Admin/TplAction class. PHP file, see the Update function to receive the filename and the content variables, only after receiving the two variables for judging whether it is empty, Data is written to the file directly using the write_file function without dangerous character detection for file names and contents, which means there is any file upload vulnerability.
3

2、The exploit
Log in to the background of the target website by admin default password admin888 or password blasting or even phishing, click Template Management to enter the /template/default/Home directory, select any file and click Edit:
1
Enter the EDIT page, enter the PHP test code in the file content form, start the BurpSuite tool to capture packages, and click Submit:
2
After BurpSuite catches the package, change the filename suffix to PHP and click "Put the package" :
3
My_hot_info.php file was created successfully, and the PHP test code was successfully executed.
4
5

@Zack-Huang
Copy link
Author

This vulnerability has been fixed in the new version, please visit the link to download the latest version of V1.7: http://www.gxcms.org/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant