About a file upload vulnerability #77
Comments
|
我遇到了相同的问题,可以提供更多信息帮助我修复吗? |
|
这是来自QQ邮箱的自动回复邮件。
您好,我不在电脑前,无法亲自回复您的邮件。我将尽快给您回复。
|
|
这是来自QQ邮箱的假期自动回复邮件。你好,我最近正在休假中,无法亲自回复你的邮件。我将在假期结束后,尽快给你回复。
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CRMEB vulnerability report.docx
The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is php, which causes the written malicious code to be parsed and executed.
public function videoUpload($data, $file)
{
$public_dir = app()->getRootPath() . 'public';
$dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d');
$all_dir = $public_dir . $dir;
if (!is_dir($all_dir)) mkdir($all_dir, 0777, true);
$filename = $all_dir . '/' . $data['filename'] . '' . $data['chunkNumber'];
move_uploaded_file($file['tmp_name'], $filename);
$res['code'] = 0;
$res['msg'] = 'error';
$res['file_path'] = '';
if ($data['chunkNumber'] == $data['totalChunks']) {
$blob = '';
for ($i = 1; $i <= $data['totalChunks']; $i++) {
$blob .= file_get_contents($all_dir . '/' . $data['filename'] . '' . $i);
}
file_put_contents($all_dir . '/' . $data['filename'], $blob);
for ($i = 1; $i <= $data['totalChunks']; $i++) {
@Unlink($all_dir . '/' . $data['filename'] . '' . $i);
}
if (file_exists($all_dir . '/' . $data['filename'])) {
$res['code'] = 2;
$res['msg'] = 'success';
$res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename'];
}
} else {
if (file_exists($all_dir . '/' . $data['filename'] . '' . $data['chunkNumber'])) {
$res['code'] = 1;
$res['msg'] = 'waiting';
$res['file_path'] = '';
}
}
return $res;
}
}
Vulnerability Exploitation Steps:
3、 Select any commodity category, enter any commodity name, and enter any commodity unit
4、Open the add video button
6、 Click the plus sign and select the test video you prepared (recommended video length is less than 10 seconds)
7、The package is successfully truncated (as shown in the figure below)
8.、Select the all uploaded video data and delete it. (As shown below)
9、After the deletion is complete, write the malicious code on it
10、Replace the content below the chunkNumber pass parameter with 1.php
11、Click forward Package
Malicious file has been successfully uploaded, how to access it?
An example is as follows:
http://your domain name/uploads/attach/year when you uploaded/month when you uploaded/day when you uploaded/file name__ (note the double underscore here) 1.php
(This is because the program will create some file directories named after your upload time)
So My current time is April 13, 2023, so my access example is as follows:
http://192.168.101.100/uploads/attach/2023/04/13/68CECACC23AB0161625A5BFFE46C3E7A.mp4__1.php
Access the malicious code file just uploaded and execute it successfully
The text was updated successfully, but these errors were encountered: