There is an arbitrary file upload vulnerability in the HYBBS upload plugin function
Vulnerability overview
There is an arbitrary file upload vulnerability in the upload plugin function of the HYBBS management background, which can lead to server permissions.
Vulnerability scope
All versions prior to HYBBS 2.3.3
Vulnerability environment construction
Clone the latest code factory library of HYBBS to the local, and then use phpstudy to build HYBBS.
Vulnerability reproduction steps
Make a malicious zip archive as shown below
Upload malicious zip archives in the management background upload plugin function
After uploading, it prompts that the upload was successful
It can be seen from the log of the folder monitoring software that HYBBS renamed the malicious compressed package and extracted it to the Plugin directory
Vulnerability code analysis
Locate the code of the plugin upload function
HYBBS directly decompresses the compressed package and does not check the content of the compressed package, resulting in an arbitrary file upload vulnerability.
daniuwo
commented
2 years ago
There is an arbitrary file upload vulnerability in the HYBBS upload plugin function
Vulnerability overview
There is an arbitrary file upload vulnerability in the upload plugin function of the HYBBS management background, which can lead to server permissions.
Vulnerability scope
All versions prior to HYBBS 2.3.3
Vulnerability environment construction
Clone the latest code factory library of HYBBS to the local, and then use phpstudy to build HYBBS.
Vulnerability reproduction steps
Make a malicious zip archive as shown below
Upload malicious zip archives in the management background upload plugin function
After uploading, it prompts that the upload was successful
It can be seen from the log of the folder monitoring software that HYBBS renamed the malicious compressed package and extracted it to the Plugin directory
Vulnerability code analysis
Locate the code of the plugin upload function
HYBBS directly decompresses the compressed package and does not check the content of the compressed package, resulting in an arbitrary file upload vulnerability.