UCMS_v1.6.0 Arbitrary file upload vulnerability
vendor: http://uuu.la/
UCMS 1.6 installation package: http://uuu.la/uploadfile/file/ucms_1.6.zip
Vulnerability type:
V 1.6.0
Recurrence environment:
Windows 10
phpstudy
Vulnerability description:
The vulnerability lies in /ucms/sadmin/fileedit.php file, The file suffix verification can be bypassed by modifying the POST packet, so as to achieve arbitrary file upload.
Loophole recurrence:
ucms/sadmin/fileedit.php
The code exists in the fileif(!@fwrite($fp,$content) && strlen($content)<>0){
Then track the parameters of the fwrite function $fp = @fopen($alldir.$filename,"w");
It is found that $fp is the receiving file, and fopen uses writing. If there is no such file, a new file will be created. $content is the value of co, which is the content written in.
Then continue to track filename
Found that filename is the value of file.
The file suffix verification can be bypassed by modifying the POST packet, so as to achieve arbitrary file upload.
First upload a txt type file, then edit and change the content to a php Trojan.
Save the modified file, then grab the data request package,In the process, change file=result.txt to file=333.php.
Then access the uploaded file 333.php. Get webshell.





