CVE-2022-37181: 72crm v9 has Arbitrary file upload vulnerability · Issue #35 · 72wukong/72crm-9.0-PHP

****Brief of this vulnerability****

72crm v9 has Arbitrary file upload vulnerability Where to upload the logo

****Test Environment****

• Windows10
• PHP 5.6.9+Apache/2.4.39

****Affect version****

72crm v9

****Vulnerable Code****

application\admin\controller\System.php line 51

After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file

follow-up move function（set filename）
line 352:

follow up function
Generate time-based file names with php as a suffix

then move_uploaded_file with this filename （thinkphp\library\think\File.php line 369）

****Vulnerability display****

First enter the background
Click as shown,go to the Enterprise management background

click this

Just upload a picture and capture the package, modify the content as follows

Back to enterprise management background

access image address

php code executed successfully
Notice：Because it is uploaded at the logo, unauthorized users can also access this php code