The file upload vulnerability of xinhu2.2.1 has a whitelist
Vulnerability analysis: Files outside the whitelist are changed to the uptemp suffix and have an id attribute
The content of the uploaded file is base64 encoded
But check webmain\task\runt\qcloudCosAction.php Tencent cloud storage under the qcloudCosClassAction run method
The suffix and content are restored, then the idea of this vulnerability is to upload, and then grab the packet to obtain the id of the uploaded webshell, and then visit the following URL, change the id, you can restore the content of the php file.
The first step: Upload the capture package, using a sentence Trojan: 666.php, the content is as follows
Step 2: go to http://www.xinhu2.com:81/task.php? m=qcloudCos|runt&a=run&fileid=19
You can see the file path and generate php with the same name
