The file upload vulnerability here lies in the blacklist method used when verifying the suffix of the uploaded file. This verification method is not strict and is often bypassed by attackers in various ways
The PluginsUpload method in the application\service\PluginsAdminService.php file has a file creation operation, in which the input of the file_put_contents function is controllable
Line 1072 checks the file suffix name, here is the blacklist check
The value in the private static variable $exclude_ext is ‘.php’, which can easily be bypassed
There are many ways to bypass the blacklist verification of suffix names. Taking my local Windows system environment as an example, you can upload file names that do not conform to the Windows file naming rules
The windows system will automatically remove the content behind the symbols that do not conform to the rules. You can change the file suffix in the linux environment and upload it to the website
Through the audit of the PluginsUpload method in the PluginsAdminService.php file
When the zip archive does not match the resource directory, it will jump out of the loop of reading the archive file
And the resource directory cannot be controller, because the directory corresponding to controller exists, and the compressed package will be closed directly without entering the subsequent file writing operation
Finally, the method is called in the Upload method of the application\admin\controller\Pluginsadmin.php file
The attacker can upload such a compressed package after logging into the background system
And upload the compressed package at Application Center -> Application Management -> Upload Application
Visit public\static\upload\file_uploadfile_\shell.php
In application\service\ThemeService.php there is also the same blacklist verification problem for uploaded files
The processing logic is very similar to the above file
After logging in to the system, upload the zip archive at the site management -> theme management -> theme installation
Visit public\static\index\test.php after uploading
The file upload vulnerability here lies in the blacklist method used when verifying the suffix of the uploaded file. This verification method is not strict and is often bypassed by attackers in various ways The PluginsUpload method in the application\service\PluginsAdminService.php file has a file creation operation, in which the input of the file_put_contents function is controllable
Line 1072 checks the file suffix name, here is the blacklist check
The value in the private static variable $exclude_ext is ‘.php’, which can easily be bypassed
There are many ways to bypass the blacklist verification of suffix names. Taking my local Windows system environment as an example, you can upload file names that do not conform to the Windows file naming rules
The windows system will automatically remove the content behind the symbols that do not conform to the rules. You can change the file suffix in the linux environment and upload it to the website Through the audit of the PluginsUpload method in the PluginsAdminService.php file When the zip archive does not match the resource directory, it will jump out of the loop of reading the archive file
And the resource directory cannot be controller, because the directory corresponding to controller exists, and the compressed package will be closed directly without entering the subsequent file writing operation
Finally, the method is called in the Upload method of the application\admin\controller\Pluginsadmin.php file
The attacker can upload such a compressed package after logging into the background system
And upload the compressed package at Application Center -> Application Management -> Upload Application
Visit public\static\upload\file_uploadfile_\shell.php
In application\service\ThemeService.php there is also the same blacklist verification problem for uploaded files
The processing logic is very similar to the above file
After logging in to the system, upload the zip archive at the site management -> theme management -> theme installation
Visit public\static\index\test.php after uploading
