YPay后台存在任意文件上传漏洞

漏洞方法定位于app/common/util/Upload.php类中的themePutFile()，被app/admin/controller/ypay/Home.php控制器的upload方法调用，将webshell压缩到一个zip压缩包后在网站主题上传处上传就会导致木马文件解压至/public/home目录下能够被直接访问。建议在全局解压封装一个检验的函数对解压后的文件后缀做个校验，漏洞涉及服务端权限获取，危害较大请尽快修复

在后台主题上传处上传一个打包好webshell的压缩包，漏洞证明测试用phpinfo()
![image](https://github.com/user-attachments/assets/8ce3648d-4f79-4065-b907-b491e79e0af8)
![image](https://github.com/user-attachments/assets/a4520a27-d379-4119-b684-738d8461f831)
然后即可将webshell上传至public/home目录下
![image](https://github.com/user-attachments/assets/6a97e40e-748c-44dd-ab66-7a1c4aa6767d)



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

YPay后台存在任意文件上传漏洞 #4

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

YPay后台存在任意文件上传漏洞 #4

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions