vendor: http://uuu.la/
UCMS 1.6 installation package: http://uuu.la/uploadfile/file/ucms_1.6.zip
Vulnerability type:
V 1.6.0
Recurrence environment:
Windows 10
phpstudy
Vulnerability description:
The vulnerability lies in /ucms/sadmin/fileedit.php file, The file suffix verification can be bypassed by modifying the POST packet, so as to achieve arbitrary file upload.
Loophole recurrence:
ucms/sadmin/fileedit.php
The code exists in the fileif(!@fwrite($fp,$content) && strlen($content)<>0){
Then track the parameters of the fwrite
function $fp = @fopen($alldir.$filename,"w");
It is found that $fp
is the receiving file, and fopen
uses writing. If there is no such file, a new file will be created. $content
is the value of co, which is the content written in.
Then continue to track filename
Found that filename
is the value of file
.
The file suffix verification can be bypassed by modifying the POST packet, so as to achieve arbitrary file upload.
First upload a txt type file, then edit and change the content to a php Trojan.
Save the modified file, then grab the data request package,In the process, change file=result.txt to file=333.php.
Then access the uploaded file 333.php. Get webshell.