A arbitrary file upload vulnerability in jizhicms v1.5

Vulnerability Information


The CMS background content management editor has a file uploading vulnerability. By modifying the background file upload parameter: the “Allow upload file suffix” section, you can bypass the restrictions on php file upload by cms, and then pass the Trojan horse and the getshell


1.Attack Vector:Network
2.Attack Complexity: Low
3.Privileges Required: High, need rights of admin
4.User Interaction: None
5.Confidentiality: High
6.Integrity: High
7.Availability: High


1.This is the upload config page of jizhicms v1.5 in background content management,which we can see the “Allow upload file suffix” section

2.add “php” in “Allow upload file suffix” section

3.And then,goto “内容管理”-“内容列表”-“新增内容”-“上传图片”,and choose a webshell to upload(with suffix of .jpg)

4.capture the packet of upload request,and change the suffix to “.php”,as we can see in the follow jpg,the webshell is upload success

5.use “AntSword” to connect the webshell

6.connect success,this vulnerabilitie was identified