72crm v9 has Arbitrary file upload vulnerability in the avatar upload #36
Comments
xunyang1
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
xunyang1
changed the title
Brief of this vulnerability
72crm v9 has Arbitrary file upload vulnerability Where to upload the avatar
Test Environment
Affect version
72crm v9
Vulnerable Code
application\admin\controller\Users.php line 259
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file
follow-up move function(set filename)
line 352:
follow up function
Generate time-based file names with php as a suffix
then move_uploaded_file with this filename (thinkphp\library\think\File.php line 369)
Vulnerability display
First enter the background
Click as shown,go to the Enterprise management background
Click to change avatar
Capture the packet and modify the content as follows
Although it is judged as an illegal file, the file has been uploaded successfully, and the file path will be exposed when the debug mode is turned on
getshell
note:
Even if debug is not turned on, the file name can be blasted out through the file name naming rules
The text was updated successfully, but these errors were encountered: