**Vulnerability Summary:** - **Vulnerability ID:** #11 - **Product:** MCMS (Mingfei CMS) - **Affected Version:** 6.1.1 - **Vulnerability Type:** Conditional Flaw (Conditional Competition) - **Risk Level:** High (Potential Shell Exploit) **Vulnerability Description:** The function for uploading template zip archives located at `/ms/file/uploadTemplate.do` in the main branch of MCMS (corresponding to version 6.1.1) contains a conditional flaw that may lead to a shell exploit. **Vulnerability Proof:** 1. **Verification Process:** - Deploy the system using the Tomcat WAR package. - Log in with the default credentials: username `msopen`, password `msopen`. 2. **Preparation:** - Create a compressed file containing malicious code. - The script generates multiple TXT files with excessively long JSP filenames, which slows down decompression and deletion processes. - The malicious JSP files include a WebShell trojan. 3. **Script Usage:** - A Python script rapidly accesses the uploaded malicious JSP files. - The Python script embeds a WebShell within the compressed package. 4. **Yakit Packet Capture:** - Confirms successful packet capture across multiple attempts. 5. **Godzilla Command Execution:** - Validates successful command execution, indicating potential system compromise. **Vulnerability Code Analysis:** - The code performs file extension checks but does not validate file headers, allowing the `checkZip` method to be bypassed. - The timing gap between decompression and deletion operations enables attackers to upload and generate a WebShell using a JSP script. **Other Dangers:** - The `getShell` method can cause widespread damage and data exfiltration on the system, leaving persistent backdoors. **Recommendations:** - Enhance detection mechanisms for compressed file types. - Ensure decompression and deletion operations are atomic to prevent conditional race conditions.