Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A malicious file upload vulnerability exists in File.php of the file management function module. #25

Open
metaStor opened this issue Jan 19, 2022 · 0 comments

Comments

@metaStor
Copy link

This is the latest 3.0.2 version of taocms.

Organize and utilize steps in two steps:

Step1:
Audit the source code E:\xxx\taocms-3.0.2\include\Model\File.php, line 96, and find that there may be arbitrary new files vulnerability:
a

Follow up $this->realpath and find that it comes from $this->path, and $this->path can be passed in through the get parameter (where SYS_ROOT is the root directory of the website):
b

Here you can construct the request package for the new test.php file:
c

New test.php is successfully created:
d

Step2:
It is also the E:\xxx\taocms-3.0.2\include\Model\File.php file. It is found in line 77 that there may be an arbitrary file writing vulnerability:
e

The written content $_POST['filedata'] and the written target file $this->realpath (mentioned above) are all controllable, so the data packet is constructed and written to the webshell:
f

Successful connection to webshell
g
h

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant