$_ FILES Get the file information uploaded by post, $file_ store
Define the file storage location. In this process, the uploaded file type is not verified. Use move_ uload_ file()
Function to transfer all uploaded files to courseimg/directory
In lines 14 to 28
$s=mysqli_query($con,"insert into course(c_name,duration,fees,photo) values('$cname','$drn','$fee','$file_store')");
if($s==1)
{
$t=mysqli_query($con,"select * from course where c_name='$cname'");
$r=mysqli_fetch_array($t);
$id=$r['id'];
$i=100+$id;
$uid="BTT/CRS/".$i;
$udt=mysqli_query($con,"update course set c_id='$uid' where c_name='$cname'");
header("location:courseinsert.php?ms=done");
}
else
{
header("location:courseinsert.php?ms=not_done");
}
mysqli_ query returns the execution result of the database statement. $s is the value returned by executing the SQL statement. If the SQL statement is executed successfully, it returns true, $s==1. When new data is inserted into the database, the url jumps to: courseinsert.php? ms=done
Otherwise, the url will jump to courseinsert. php? ms=not_ done
To sum up, in the process of uploading a file, first upload the file to the local courseimg directory, and then save the path of the successfully uploaded file in the database
Therefore, even if the uploaded file is not stored in the database, the uploaded file will be saved in the courseimg/directory under the current path, which is: admin_ area/courseimg/
Build environment: Aapche2.4.39; MySQL5.7.26; PHP7.3.4
1.File upload vulnerability
In the file admin_ Area/courseinsert.php, in line 234-239 of the code
After entering the information, click the button to send the information to course in post mode_ insert.php
, continue to follow up the code
course_insert.php:
In lines 10 - 13:
$_ FILES Get the file information uploaded by post, $file_ store
Define the file storage location. In this process, the uploaded file type is not verified. Use move_ uload_ file()
Function to transfer all uploaded files to courseimg/directory
In lines 14 to 28
mysqli_ query returns the execution result of the database statement. $s is the value returned by executing the SQL statement. If the SQL statement is executed successfully, it returns true, $s==1. When new data is inserted into the database, the url jumps to: courseinsert.php? ms=done
Otherwise, the url will jump to courseinsert. php? ms=not_ done
To sum up, in the process of uploading a file, first upload the file to the local courseimg directory, and then save the path of the successfully uploaded file in the database
Therefore, even if the uploaded file is not stored in the database, the uploaded file will be saved in the courseimg/directory under the current path, which is: admin_ area/courseimg/
Upload-POC:
After sending the POC packet, click admin_ area/courseimg/ Generate a PHP file named ace under the directory
Connect using the webshell administration tool
The text was updated successfully, but these errors were encountered: