Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File upload vulnerability exists by modifying Upload.php configuration in backend. #35

Open
xiaoabai opened this issue Dec 21, 2022 · 0 comments
Open

File upload vulnerability exists by modifying Upload.php configuration in backend. #35

xiaoabai opened this issue Dec 21, 2022 · 0 comments

Comments

@xiaoabai
Copy link

This is the latest 3.0.2 version of taocms.

Organize and utilize steps in two steps:

Step1:
Audit the source code "include/Model/Upload.php", line 33, the filename extension can be controlled by modifying variable "upext":
image

Follow up in "include/Model/File.php", line 75, there is a $this->realpath and find that it comes from $this->path, and $this->path can be passed in through the get parameter (where SYS_ROOT is the root directory of the website):
image

Here any changes to the variable "upext" or file "Upload.php" can be saved by the method "save" which locates at "include/Model/File.php", line 73:
image

At this stage, you can add "php" filename extension to the variable "upext" and click "save" to save it:
image

Step 2:
Next, you can upload any php file to the system:
image

New a.php file is successfully uploaded:
image

Once you uploaded file, you can open the file through the path "http://www.taocms.com:9090/a.php", and you can get shell of this system:
image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xiaoabai