Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
File Upload vulnerability in PHPOK 5.7.140
Enter the background and switch to development mode in the upper right corner
Click Install Application - Import and upload a zip-compressed php file
# 1.php <?php phpinfo();?>
After easily completing the upload, visit the path _app/ and find what we uploaded
_app/
This creates a serious file upload vulnerability
The upload first calls the zip function without any censorship or filtering of its contents, thus resulting in an arbitrary file upload
/** * 制作压缩包 * @参数 $dir,支持单个文件,目录及数组 * @参数 $saveName,保存的ZIP文件名 **/ public function zip($dir, $saveName) { if(@!function_exists('gzcompress')){ return false; } ob_end_clean(); $filelist = array(); if(is_array($dir)){ $filelist = $dir; }else{ if(!file_exists($dir)){ return false; } if(is_file($dir)){ $filelist = array($dir); }else{ $this->filelist($filelist,$dir); } } if(count($filelist) < 1){ return false; } if(class_exists('ZipArchive')){ $obj = new ZipArchive(); $obj->open($saveName,ZipArchive::OVERWRITE|ZipArchive::CREATE);//创建一个空的zip文件 foreach($filelist as $file){ if(!file_exists($file) || !is_file($file)){ continue; } $name = substr($file,strlen($this->dir_root)); $obj->addFile($file,$name); } $obj->close(); return true; } foreach($filelist as $file){ if(!file_exists($file) || !is_file($file)){ continue; } $fd = fopen($file, "rb"); $content = @fread($fd, filesize($file)); fclose($fd); $file = substr($file, strlen($this->dir_root)); if(substr($file, 0, 1) == "\\" || substr($file, 0, 1) == "/"){ $file = substr($file, 1); } $this->addFile($content, $file); } $out = $this->file(); $fp = fopen($saveName, "wb"); fwrite($fp, $out, strlen($out)); fclose($fp); }
After uploading the zip, unzip was called to decompress it, again without any filtered review content
public function unzip($file,$to='') { if(class_exists('ZipArchive')){ $zip = new ZipArchive; $zip->open($file); $zip->extractTo($to); $zip->close(); return true; } ...
The text was updated successfully, but these errors were encountered:
No branches or pull requests
File Upload vulnerability in PHPOK 5.7.140
PoC
Enter the background and switch to development mode in the upper right corner
Click Install Application - Import and upload a zip-compressed php file
After easily completing the upload, visit the path
_app/and find what we uploadedThis creates a serious file upload vulnerability
Analysis
The upload first calls the zip function without any censorship or filtering of its contents, thus resulting in an arbitrary file upload
After uploading the zip, unzip was called to decompress it, again without any filtered review content
The text was updated successfully, but these errors were encountered: