Step1:
Audit the source code E:\xxx\taocms-3.0.2\include\Model\File.php, line 96, and find that there may be arbitrary new files vulnerability:
Follow up $this->realpath and find that it comes from $this->path, and $this->path can be passed in through the get parameter (where SYS_ROOT is the root directory of the website):
Here you can construct the request package for the new test.php file:
New test.php is successfully created:
Step2:
It is also the E:\xxx\taocms-3.0.2\include\Model\File.php file. It is found in line 77 that there may be an arbitrary file writing vulnerability:
The written content $_POST['filedata'] and the written target file $this->realpath (mentioned above) are all controllable, so the data packet is constructed and written to the webshell:
Successful connection to webshell
The text was updated successfully, but these errors were encountered:
This is the latest 3.0.2 version of taocms.
Organize and utilize steps in two steps:
Step1:

Audit the source code E:\xxx\taocms-3.0.2\include\Model\File.php, line 96, and find that there may be arbitrary new files vulnerability:
Follow up $this->realpath and find that it comes from $this->path, and $this->path can be passed in through the get parameter (where SYS_ROOT is the root directory of the website):

Here you can construct the request package for the new

test.phpfile:New test.php is successfully created:

Step2:

It is also the E:\xxx\taocms-3.0.2\include\Model\File.php file. It is found in line 77 that there may be an arbitrary file writing vulnerability:
The written content $_POST['filedata'] and the written target file $this->realpath (mentioned above) are all controllable, so the data packet is constructed and written to the webshell:

Successful connection to webshell


The text was updated successfully, but these errors were encountered: