RCE Vulnerability in tpAdmin
Project: https://github.com/yuan1994/tpAdmin
tpadmin is a management background based on the official version of ThinkPHP5.0 and Hui.admin v2.5.
So far, the project has 437 stars and 186 forks on github.
An arbitrary file upload vulnerability exists in tpadmin, allowing an attacker to take over server privileges.
Note:
If you want to deploy the system:
After downloading the project, use composer to download the required dependencies (it is recommended to modify composer.json first)
Just modify the following part:
"require": {
"php": ">=5.4.0",
"topthink/framework": "5.0.7",
"topthink/think-captcha": "1.0.7",
"qiniu/php-sdk": "7.1.3",
"phpoffice/phpexcel": "1.8.2",
"yuan1994/tp-mailer": "0.2.4"
Then execute composer update or composer install
If you still cannot access the page, refer to thinkphp’s official deployment manual:
https://www.kancloud.cn/manual/thinkphp5/129745
https://www.kancloud.cn/manual/thinkphp5/177576
Visit and log in to the background, for example: http://192.168.159.134/admin/pub/login.html
Username:admin
Password:123456
Vulnerable file: application\admin\controller\Upload.php

The file upload function in this controller does not set the file format filter, so that the webshell can be uploaded.

Click to upload webshell, and get the url path in the http return package


GETSHELL.