shopxo_6.4.0_unrestricted file upload vulnerability!

在ThemeDataService.php文件中检查了后缀但缺少对文件内容的检查
The suffix was checked in the ThemeDataService.php file but there was no checking of the file contents
![Image](https://github.com/user-attachments/assets/861b79d7-0040-4dcc-85fc-d03f54fe1fa1)
在thinkphp中html后缀的模板文件也能执行代码
In thinkphp, template files with html extensions can also execute code
举个例子
example

![Image](https://github.com/user-attachments/assets/7286a455-6a6f-4916-bde7-976a922672ee)

![Image](https://github.com/user-attachments/assets/baf4d283-581b-4e98-97af-23f1ef8284d9)

打包并上传
zip this folder, and upload

![Image](https://github.com/user-attachments/assets/3c6dd473-a661-4406-af6d-6dc6f6a409d3)
访问?s=agreement/index/document/userprivacy.html可以看到php代码被执行
requests ?s=agreement/index/document/userprivacy.html you can see the PHP code is executed

![Image](https://github.com/user-attachments/assets/97b507d6-a477-4926-8fb9-a8e261717956)

建议增加对文件内容的过滤
suggestion:add file content filter

[rce.docx](https://github.com/user-attachments/files/18693719/rce.docx)

[payload.zip](https://github.com/user-attachments/files/18693721/payload.zip)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

shopxo_6.4.0_unrestricted file upload vulnerability! #86

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

shopxo_6.4.0_unrestricted file upload vulnerability! #86

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions