OS:windows
ERMEB version:3.1.0+
download time: 2020/1/18
search some keyword like "上传文件非法",and the file path /crmeb/crmeb/services/UploadService.php in line 410.

In the file() funcion,it will call getOriginalExtension() in line 409.The getOriginalExtension() is in line 130 with the file /crmeb/vendor/topthink/framework/src/think/file/UploadedFile.php.

From the code point of view, it is only compared by obtaining the suffix name, and no filtering is performed.
first,you need to add a configuration item about file upload like this.

The contents of the configuration items are as follows.

Open the file upload configuration item in settings,and it like this.

In this operation, you can see that there is an option named fileuPload,it was create in the Step-1.Then you can click it and upload file in this.
Then I upload one file is name shell.jpg,and the content is like this.
<?php
phpinfo();
?>
and modify the file extension to .php::$DATA when uploading was like this.Because the character ::$DATA is automatically ignored in the windows system, it can be bypassed by this character.

it will response a uri address like this.

http://127.0.0.1/uploads/config/file/20200119/f97d96036a769ae2d3154b591304f1df.php
access this url and you will getshell for this web server.

filter ::$DATA.
噢卖糕。。这不是说容易被种木马?
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
需要在CRMEB\crmeb\app\admin\controller\setting\SystemConfig.php 得第 403行开启上传验证
setAutoValidate(true)
登录 后才可以发表评论