A malicious file upload vulnerability exists in File.php of the file management function module.

[metaStor]

This is the latest 3.0.2 version of taocms.

Organize and utilize steps in two steps：

Step1： Audit the source code E:\xxx\taocms-3.0.2\include\Model\File.php, line 96, and find that there may be arbitrary new files vulnerability:

Follow up $this->realpath and find that it comes from $this->path, and $this->path can be passed in through the get parameter (where SYS_ROOT is the root directory of the website):

Here you can construct the request package for the new test.php file:

New test.php is successfully created:

Step2: It is also the E:\xxx\taocms-3.0.2\include\Model\File.php file. It is found in line 77 that there may be an arbitrary file writing vulnerability:

The written content $_POST['filedata'] and the written target file $this->realpath (mentioned above) are all controllable, so the data packet is constructed and written to the webshell:

Successful connection to webshell