Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
  1. Audit the /inc/classReqUrl.php file, in the function UseCurl, call the curl_exec function to execute a curl session, only the $url parameter can be controlled, which can cause ssrf vulnerabilities image
  2. Follow up to /admin/info_deal.php image
  3. Follow up the AddOrRev function, the $img parameter is controllable image
  4. $img parameter input method

image
5. Follow up to \inc\classOT.php, the $img parameter is passed in through POST, and there is no filtering measure image image
6. Continue to follow up the SaveRemoteFile function image
7. The second parameter is brought into the GetUrlContent function, followed by the GetUrlContent function image
8. Similarly, follow up the UseAuto function according to the introduction of controllable parameters, and pass in 3 parameters here: 0, GET, $url image

  • POC:
    POST /admin/info deal.php?mudi=add isSavelmg=1&img=URL&theme=1&typeStr=1&time=1

image