Headline
CVE-2021-37770: File upload vulnerability
Nucleus CMS v3.71 is affected by a file upload vulnerability. In this vulnerability, we can use upload to change the upload path to the path without the Htaccess file. Upload an Htaccess file and write it to AddType application / x-httpd-php.jpg. In this way, an attacker can upload a picture with shell, treat it as PHP, execute commands, so as to take down website resources.
Description: I found a file upload vulnerability. The project layout in Apache will cause huge problems, In this vulnerability, we can use upload to change the upload path to the path without. Htaccess file. Upload an. Htaccess file and write it to AddType application / x-httpd-php.jpg. In this way, we can upload a picture with shell, treat it as PHP, execute our commands, so as to take down the whole website Resources and permissions for.
login as admin
This is the vulnerability file, directory
Find where to upload files
Upload a PHP file and visit,and Can see Forbidden
Let’s upload a. Htaccess file
You can see that the file was uploaded successfully,Then upload a. JPG file, which contains the Trojan we wrote
We visit it to execute our command
We can use it to execute any command, or use it to get all the information of the website
Let’s analyze the reason,We can see that. Htaccess file forbids access to PHP file
When uploading a. Htaccess file containing this sentence:AddType application/x-httpd-php .jpg
Jpg can be executed as a PHP file
Resolvent:
The best way to solve this vulnerability is to disable the upload of. Htaccess file and. User.ini file. The use of. Htaccess file under Apache service is dangerous. The use of. User.ini on nginx server is dangerous