**Vulnerability Summary:** - **Vulnerability ID:** #11 - **Product:** MCMS (Mingfei CMS) - **Affected Version:** 6.1.1 - **Vulnerability Type:** Conditional Flaw (Conditional Competition) - **Risk Level:** High (Potential Shell Exploit) **Vulnerability Description:** The function to upload template zip archives in `/ms/file/uploadTemplate.do` in the main branch of MCMS (corresponding to version 6.1.1) has a conditional flaw that could lead to a shell exploit. **Vulnerability Proof:** 1. **Verification Process:** - Deploy the system using the Tomcat WAR package. - Log in with the default username: `msopen` and password: `msopen`. 2. **Preparation:** - Build a compressed file containing malicious code. - The script creates multiple TXT files with excessively long JSP filenames, slowing down decompression and deletion. - The malicious JSP files contain a WebShell trojan. 3. **Script Usage:** - A Python script quickly accesses uploaded malicious JSP files. - The Python script creates a WebShell within the compressed package. 4. **Yakit Packet Capture:** - Ensures successful packet capture for multiple attempts. 5. **Godzilla Command Execution:** - Confirms the success of command execution, indicating a potential system compromise. **Vulnerability Code Analysis:** - The code checks file extensions but not file headers, allowing the `checkZip` method to be bypassed. - This gap between decompression and deletion checks enables the upload and generation of a WebShell using a JSP script. **Other Dangers:** - The `getShell` method can cause extensive damage and data acquisition on the system, leaving backdoors. **Recommendations:** - Increase the detection of compressed file types. - Make decompression and deletion operations atomic to prevent conditional flaws.