emlog pro2.3.2 File upload to getshell.md

emlog pro introduce

emlog is a lightweight blog and CMS system based on PHP and MYSQL.

Vulnerability description

In the emlog pro project, there is a zip file that can be uploaded at admin/views/plugin.php, and after decompression, there is no filtering or analysis of the content, so that you can upload a compressed file with php, and upload it to the server through decompression, thus getshell

Project address： https://github.com/emlog/emlog

The code audit found no filtering at the upload and decompression points Through analysis, it is found that as long as the folder in the compressed package and the file name in the folder are the same, the upload can be successful.

Vulnerablility reproduction

Download emlog pro2.3.2(latest version) and use phpstudy to set up and create a database Place the downloaded project in the root directory of phpstudy. Then go to http://localhsot/emlogpro2.3.2/install.php for installation, can be configured After the installation is complete, log in using the account and password set 漏洞点位于安装插件处 Construct a zip package as follows: Note: The zip package must have a folder, and the folder and file name must be the same, as above 123/123.php

Click Install Plugin to upload 123.zip After successful installation Go to http://localhost/emlog2.3.2/content/plugins/123/123.php The php file was successfully uploaded and parsed

The affected version

emlog pro 2.3.x