HYBBS2 icon indicating copy to clipboard operation
HYBBS2 copied to clipboard

Published 20 hours ago verified publisher icon hyyyp

There is an arbitrary file upload vulnerability in the HYBBS upload plugin function

Open shmilylty opened this issue 3 years ago • 1 comments

There is an arbitrary file upload vulnerability in the HYBBS upload plugin function

Vulnerability overview

There is an arbitrary file upload vulnerability in the upload plugin function of the HYBBS management background, which can lead to server permissions.

Vulnerability scope

All versions prior to HYBBS 2.3.3

Vulnerability environment construction

Clone the latest code factory library of HYBBS to the local, and then use phpstudy to build HYBBS.

Vulnerability reproduction steps

Make a malicious zip archive as shown below

2022-02-07-16-46-39

Upload malicious zip archives in the management background upload plugin function

2022-02-07-16-50-42

After uploading, it prompts that the upload was successful

2022-02-07-16-52-20

It can be seen from the log of the folder monitoring software that HYBBS renamed the malicious compressed package and extracted it to the Plugin directory

2022-02-07-16-54-43

2022-02-07-16-57-40

Vulnerability code analysis

Locate the code of the plugin upload function

2022-02-07-17-13-57

2022-02-07-17-14-07

HYBBS directly decompresses the compressed package and does not check the content of the compressed package, resulting in an arbitrary file upload vulnerability.

shmilylty avatar Feb 07 '22 10:02 shmilylty

需要管理员才能在后台上传,普通用户没有权限的。

daniuwo avatar Feb 26 '22 09:02 daniuwo