Vulnerability Summary: Vulnerability ID: #11 Product: MCMS (Mingfei CMS) Affected Version: 6.1.1 Vulnerability Type: Conditional Flaw (Conditional Competition) Risk Level: High (Potential Shell Exploit) Vulnerability Description: The function to upload template zip archives in in the main branch of MCMS (corresponding to version 6.1.1) has a conditional flaw that could lead to a shell exploit. Vulnerability Proof: 1. Verification Process: - Deploy the system using the Tomcat WAR package. - Log in with the default username: and password: . 2. Preparation: - Build a compressed file containing malicious code. - The script creates multiple TXT files with excessively long JSP filenames, slowing down decompression and deletion. - The malicious JSP files contain a WebShell trojan. 3. Script Usage: - A Python script quickly accesses uploaded malicious JSP files. - The Python script creates a WebShell within the compressed package. 4. Yakit Packet Capture: - Ensures successful packet capture for multiple attempts. 5. Godzilla Command Execution: - Confirms the success of command execution, indicating a potential system compromise. Vulnerability Code Analysis: The code checks file extensions but not file headers, allowing the method to be bypassed. This gap between decompression and deletion checks enables the upload and generation of a WebShell using a JSP script. Other Dangers: The method can cause extensive damage and data acquisition on the system, leaving backdoors. Recommendations: Increase the detection of compressed file types. Make decompression and deletion operations atomic to prevent conditional flaws.