English Title: CKCK Navigation System Unrestricted File Upload Leads to Remote Code Execution

---

中文摘要

CKCK Navigation System 的后台上传接口存在安全问题。由于服务端仅根据客户端可控的 MIME 类型校验上传文件，攻击者可以通过构造上传请求绕过文件类型限制，上传任意 PHP 文件，并最终在服务器上执行任意 PHP 代码，形成远程代码执行（RCE）。

English Summary

CKCK Navigation System contains a vulnerability in its administrative upload endpoint. Because the server validates uploaded files only by using the client-controlled MIME type, an authenticated attacker can bypass file type restrictions, upload arbitrary PHP files, and execute arbitrary PHP code on the server, resulting in remote code execution (RCE).

---

漏洞信息 / Vulnerability Information

• 厂商 / Vendor: CKCK
• 产品 / Product: CKCK Navigation System
• 漏洞类型 / Vulnerability Type: Unrestricted File Upload
• 影响 / Impact: Remote Code Execution
• 攻击类型 / Attack Type: Remote
• 受影响组件 / Affected Component: admin/api/upload_image.php
• 受影响版本 / Affected Version: Unknown
• 修复版本 / Fixed Version: Not available

---

漏洞概述 / Overview

该漏洞出现在后台上传功能中。应用程序对上传文件类型的校验依赖客户端提交的 MIME 类型字段，而该字段可由攻击者伪造。因此，攻击者可以将恶意 PHP 文件伪装成允许的图片类型进行上传，并在上传成功后访问该文件以执行任意 PHP 代码。

The vulnerability exists in the administrative file upload functionality. The application validates uploaded files based on the MIME type supplied by the client, which can be spoofed by an attacker. As a result, a malicious PHP file can be disguised as an allowed image type, uploaded successfully, and then accessed to execute arbitrary PHP code.

---

受影响组件 / Affected Component

受影响文件如下：

admin/api/upload_image.php

The affected component is:

admin/api/upload_image.php

---

漏洞成因 / Root Cause

服务端对上传文件的校验逻辑如下：

$allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
if (!in_array($file['type'], $allowed_types)) {
    throw new Exception('不支持的文件类型');
}

上述逻辑仅校验客户端提供的 $file['type']，而该值来源于上传请求中的 MIME 类型字段，可由攻击者任意修改。因此，这种校验方式并不能真正验证文件内容是否为合法图片。

The server-side validation logic is as follows:

$allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
if (!in_array($file['type'], $allowed_types)) {
    throw new Exception('不支持的文件类型');
}

This logic checks only $file['type'], which is derived from the client-supplied MIME type in the upload request and can be manipulated by an attacker. Therefore, this validation does not reliably verify that the uploaded file is actually a legitimate image.

---

攻击向量 / Attack Vector

攻击者可向上传接口发送构造后的 multipart/form-data 请求，并将恶意 PHP 文件的 MIME 类型伪造为允许的图片类型，例如 image/jpeg、image/png 或 image/gif。由于服务端依赖客户端可控字段进行校验，攻击者可以绕过文件类型限制并完成恶意文件上传。

An authenticated attacker can send a crafted multipart/form-data request to the upload endpoint and spoof the MIME type of a malicious PHP file as an allowed image type such as image/jpeg, image/png, or image/gif. Because the server relies on a client-controlled field for validation, the attacker can bypass file type restrictions and upload a malicious file.

---

利用条件 / Exploitation Conditions

成功利用通常需要满足以下条件：

1. 攻击者能够访问后台上传接口；
2. 攻击者具备后台认证权限；
3. 上传后的文件位于 Web 可访问目录；
4. 服务器会解析并执行上传的 PHP 文件；
5. 根据测试，后台存在默认管理员口令 admin/admin888，这会降低利用门槛。

Successful exploitation generally requires the following conditions:

1. The attacker can access the administrative upload endpoint;
2. The attacker has administrative authentication;
3. The uploaded file is stored in a web-accessible directory;
4. The server executes uploaded PHP files;
5. Based on testing, the administrative interface uses the default credentials admin/admin888, which lowers the exploitation barrier.

---

复现过程 / Reproduction Steps

中文复现

1. 访问管理员登录页面：

http://example.com/admin/login.php

2. 使用默认管理员口令登录后台：

admin/admin888

3. 进入后台后，选择弹窗管理页面并点击进入管理。

4. 在 LOGO 设置或背景图片设置区域中，选择“方式二：上传本地图片”。

5. 先选择一个正常小图片进行上传并抓包，保持请求中的文件类型字段为允许的图片 MIME 类型；随后将文件内容替换为 PHP 代码，并将文件后缀修改为 .php。

6. 服务端返回上传成功的 JSON 数据，其中包含上传后的文件路径：

{"status":"success","url":"\/uploads\/6a33afbd7861e.php","message":"文件上传成功"}

7. 访问返回的文件 URL，即可触发服务器解析并执行上传的 PHP 代码：

http://example.com/uploads/6a33afbd7861e.php

English Reproduction

1. Access the administrative login page:

http://example.com/admin/login.php

2. Log in with the default administrator credentials:

admin/admin888

3. After authentication, open the popup management page.
4. In the LOGO or background image configuration area, choose the option to upload a local image.
5. Start with a legitimate small image upload and intercept the request. Keep the file type field as an allowed image MIME type, then replace the file content with PHP code and change the file extension to .php.
6. The server returns a JSON response containing the uploaded file path:

{"status":"success","url":"\/uploads\/6a33afbd7861e.php","message":"文件上传成功"}

7. Access the returned file URL to trigger server-side execution of the uploaded PHP code:

http://example.com/uploads/6a33afbd7861e.php

---

证据 / Evidence

中文证据

1. 白盒代码审计

漏洞代码片段截图：

完整代码：

<?php
require_once __DIR__ . '/../config.php';
require_once __DIR__ . '/../auth_check.php';

header('Content-Type: application/json');

try {
    if (!isset($_FILES['image'])) {
        throw new Exception('没有上传文件');
    }

    $file = $_FILES['image'];
    if ($file['error'] !== UPLOAD_ERR_OK) {
        throw new Exception('文件上传失败');
    }

    // 检查文件类型
    $allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
    if (!in_array($file['type'], $allowed_types)) {
        throw new Exception('不支持的文件类型');
    }

    // 创建上传目录
    $upload_dir = __DIR__ . '/../../uploads/';
    if (!is_dir($upload_dir)) {
        mkdir($upload_dir, 0755, true);
    }

    // 生成唯一文件名
    $extension = pathinfo($file['name'], PATHINFO_EXTENSION);
    $filename = uniqid() . '.' . $extension;
    $filepath = $upload_dir . $filename;

    // 移动文件
    if (!move_uploaded_file($file['tmp_name'], $filepath)) {
        throw new Exception('文件保存失败');
    }

    // 返回文件URL
    $file_url = '/uploads/' . $filename;
    echo json_encode([
        'status' => 'success',
        'url' => $file_url,
        'message' => '文件上传成功'
    ]);

} catch (Exception $e) {
    echo json_encode([
        'status' => 'error',
        'message' => $e->getMessage()
    ]);
}

2. 上传目录状态

uploads 目录结构如下：

根据测试，目标上传目录中未见 .htaccess 等限制性文件，因此用户上传的 .php 文件可直接落地并被访问执行。

3. 关键利用证据

• 后台登录页面：/admin/login.php
• 默认管理员口令：admin/admin888
• 上传成功响应返回 Web 可访问路径：/uploads/6a33afbd7861e.php
• 访问该路径后，服务器成功执行上传的 PHP 代码。

English Evidence

1. White-box code review

Code screenshot:

The upload handler validates only the client-controlled MIME type, preserves the attacker-controlled extension derived from the original file name, stores the file under the web-accessible /uploads/ directory, and returns the uploaded file URL in the JSON response.

2. Upload directory status

The uploads directory structure is shown below:

Based on testing, no restrictive .htaccess or equivalent execution control was present in the target upload directory, allowing uploaded .php files to be directly accessed and executed.

3. Key exploitation evidence

• Administrative login page: /admin/login.php
• Default administrator credentials: admin/admin888
• Successful upload response returns a web-accessible path: /uploads/6a33afbd7861e.php
• Accessing the returned path causes the server to execute the uploaded PHP code.

---

安全影响 / Security Impact

成功利用该漏洞后，攻击者可以在目标服务器上执行任意 PHP 代码，从而导致远程代码执行。根据服务器环境和权限配置，攻击者可能进一步：

• 获取 WebShell；
• 读取或篡改站点文件；
• 窃取敏感信息；
• 持久化控制目标系统；
• 横向影响站点业务与数据安全。

Successful exploitation allows an attacker to execute arbitrary PHP code on the target server, resulting in remote code execution. Depending on the server environment and privilege model, the attacker may further:

• Obtain a web shell;
• Read or modify site files;
• Steal sensitive information;
• Establish persistence;
• Compromise site operations and data security.

---

修复建议 / Mitigation

建议采取以下修复措施：

1. 不要信任客户端提供的 MIME 类型；
2. 在服务端基于文件内容进行类型检测，例如使用 finfo_file()；
3. 严格限制允许上传的文件扩展名；
4. 对上传文件进行随机重命名；
5. 将上传目录设置为不可执行；
6. 在 Web 服务器层面禁止上传目录中的脚本解析执行。

Recommended mitigations:

1. Do not trust the client-supplied MIME type;
2. Validate the actual file content on the server side, for example with finfo_file();
3. Strictly restrict allowed file extensions;
4. Randomize uploaded file names;
5. Make the upload directory non-executable;
6. Prevent script execution in the upload directory at the web server level.

---

时间线 / Timeline

• 2026-06-18：漏洞发现与验证
• 2026-06-18：开始整理漏洞细节
• 2026-06-18：提交 CVE 申请
• 2026-06-XX：公开披露

Timeline:

• 2026-06-18: Vulnerability discovered and verified
• 2026-06-18: Vulnerability details documented
• 2026-06-18: CVE request submitted
• 2026-06-XX: Public disclosure

---

致谢 / Credits

漏洞发现者 / Discoverer:

LawKing Security Research

---

参考链接 / References

https://lawking.top/2026/06/18/ckck-navigation-system-file-upload-rce/

---

免责声明 / Disclaimer

本文档仅用于安全研究、漏洞通报和修复参考，旨在帮助相关方识别并修复安全问题。

This document is provided for security research, vulnerability reporting, and remediation purposes only, to help relevant parties identify and fix the issue.