Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

UCMS_v1.6.0 Arbitrary file upload vulnerability

vendor: http://uuu.la/

UCMS 1.6 installation package: http://uuu.la/uploadfile/file/ucms_1.6.zip

Vulnerability type:

V 1.6.0

Recurrence environment:

Windows 10

phpstudy

Vulnerability description:

The vulnerability lies in /ucms/sadmin/fileedit.php file, The file suffix verification can be bypassed by modifying the POST packet, so as to achieve arbitrary file upload.

Loophole recurrence:

ucms/sadmin/fileedit.php The code exists in the fileif(!@fwrite($fp,$content) && strlen($content)<>0){

image

Then track the parameters of the fwrite function $fp = @fopen($alldir.$filename,"w"); It is found that $fp is the receiving file, and fopen uses writing. If there is no such file, a new file will be created. $content is the value of co, which is the content written in. Then continue to track filename

image

Found that filename is the value of file. The file suffix verification can be bypassed by modifying the POST packet, so as to achieve arbitrary file upload.

image

First upload a txt type file, then edit and change the content to a php Trojan.

image

Save the modified file, then grab the data request package,In the process, change file=result.txt to file=333.php.

image

Then access the uploaded file 333.php. Get webshell.

image