Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

72crm v9 has Arbitrary file upload vulnerability #35

Open
xunyang1 opened this issue Jul 30, 2022 · 0 comments
Open

72crm v9 has Arbitrary file upload vulnerability #35

xunyang1 opened this issue Jul 30, 2022 · 0 comments

Comments

@xunyang1
Copy link

Brief of this vulnerability

72crm v9 has Arbitrary file upload vulnerability Where to upload the logo

Test Environment

  • Windows10
  • PHP 5.6.9+Apache/2.4.39

Affect version

72crm v9

Vulnerable Code

application\admin\controller\System.php line 51
image
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file
image
follow-up move function(set filename)
line 352:
image
follow up function
Generate time-based file names with php as a suffix
image
then move_uploaded_file with this filename (thinkphp\library\think\File.php line 369)
image

Vulnerability display

First enter the background
Click as shown,go to the Enterprise management background
image
click this
image
Just upload a picture and capture the package, modify the content as follows
image
Back to enterprise management background
image
access image address
image
php code executed successfully
Notice:Because it is uploaded at the logo, unauthorized users can also access this php code
image
image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xunyang1