Headline
CVE-2022-46610: 72crm v9 has Arbitrary file upload vulnerability in the avatar upload · Issue #36 · 72wukong/72crm-9.0-PHP
72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
****Brief of this vulnerability****
72crm v9 has Arbitrary file upload vulnerability Where to upload the avatar
****Test Environment****
- Windows10
- PHP 5.6.9+Apache/2.4.39
****Affect version****
72crm v9
****Vulnerable Code****
application\admin\controller\Users.php line 259
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file
follow-up move function(set filename)
line 352:
follow up function
Generate time-based file names with php as a suffix
then move_uploaded_file with this filename (thinkphp\library\think\File.php line 369)
****Vulnerability display****
First enter the background
Click as shown,go to the Enterprise management background
Click to change avatar
Capture the packet and modify the content as follows
Although it is judged as an illegal file, the file has been uploaded successfully, and the file path will be exposed when the debug mode is turned on
getshell
note:
Even if debug is not turned on, the file name can be blasted out through the file name naming rules