vendor: http://uuu.la/

UCMS 1.6 installation package： http://uuu.la/uploadfile/file/ucms_1.6.zip

Vulnerability type：

V 1.6.0

Recurrence environment：

Windows 10

phpstudy

Vulnerability description：

The vulnerability lies in /ucms/sadmin/fileedit.php file, The file suffix verification can be bypassed by modifying the POST packet, so as to achieve arbitrary file upload.

Loophole recurrence：

ucms/sadmin/fileedit.php The code exists in the fileif(!@fwrite($fp,$content) && strlen($content)<>0){

Then track the parameters of the fwrite function $fp = @fopen($alldir.$filename,"w"); It is found that $fp is the receiving file, and fopen uses writing. If there is no such file, a new file will be created. $content is the value of co, which is the content written in. Then continue to track filename

Found that filename is the value of file. The file suffix verification can be bypassed by modifying the POST packet, so as to achieve arbitrary file upload.

First upload a txt type file, then edit and change the content to a php Trojan.

Save the modified file, then grab the data request package,In the process, change file=result.txt to file=333.php.

Then access the uploaded file 333.php. Get webshell.