路漫漫其修远兮

yccms - Remote code execution via upload image

2019.06.17

Vulnerability Report: yccms 3.3 remote code execution via upload image

This paper describes yccms(yccms is a PHP version of lightweight CMS station building system, the program page design is simple, generate static html, powerful background functions, conducive to optimization, super-strong collection, super-strong ranking, suitable for keyword ranking, Taobao guest program, is an ideal choice for individuals and enterprises to build a station. An upload file remote code execution vulnerability in a project, where malicious parameters can cause the uploaded xh image file to execute PHP code due to the xhUpfunction’s improper judgment of the request parameters, triggering a remote code execution vulnerability

Test Environment

  • yccms: 3.3 website: http://www.yccms.net/
  • php: 7.2.9
  • os and hardware: Mac OS X 10_12_6

Vulnerability Location

The vulnerability lies in the xhUp function in the yccms_v3.3/controller/CallAction.class.php file, which calls the checkType method of the FileUpload class in the yccms_v3.3/public/class/FileUpload.class.phpfile to handle format checking of uploaded images.

	//xheditor编辑器专用上传
	public function xhUp() {
		if (isset($_GET['type'])) {
			$_fileupload = new FileUpload('filedata',10);
			$_err=$_fileupload->checkError();
			$_path = $_fileupload->getPath();
			$_msg="'..$_path'";
			$_img = new Image($_path);
			$_img->xhImg(650,0);
			$_img->out();
			echo "{'err':'".$_err."','msg':".$_msg."}";
			exit();
		} else {
		Tool::alertBack('警告:由于非法操作导致上传失败!');
		}
	}
	
	......
	
	//验证类型
	private function checkType() {
		if (!in_array($this->type,$this->typeArr)) {
			Tool::alertBack('警告:不合法的上传类型!');
		}
	}

parameter$this->type = $_FILES[$_file]['type']; type for uploading file informationContent-Type,checkTypethe function simply judges that the value will go straight in.checkPath,moveUploadfunction to save files while uploading file informationContent-Type, It can be forged at willContent-Typethe value is forgedimage/png, set the upload file content to<?php phpinfo();?>, you can achieve arbitrary code execution

Local Test

enter the background of the system, select home page content, click 上传

avatar

modify the content of the picture to <?php phpinfo();?>and the file name to filename = test.php

avatar

visit local directory /yccms_v3.3/uploads/, file upload successfully

avatar

visit {youdomain}/uploads/20190902205314907.php again to execute code successfully

avatar

Summary

this paper verifies the remote code execution vulnerability in the function of uploading picture files in yccms ver3.3 through local tests.

发表评论