Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

I found that the background can getshell #12

Closed
p0desta opened this issue Oct 30, 2018 · 2 comments
Closed

I found that the background can getshell #12

p0desta opened this issue Oct 30, 2018 · 2 comments

Comments

@p0desta
Copy link

p0desta commented Oct 30, 2018

Background GETCHELL

Description: The background can upload a compressed package, uncompressed without filtering, and getshell.

Put a webshell in the archive and upload it.


Then we can access the corresponding directory to getshell.

Code analysis

See line 188 of admin_component.php

if (in_array($exp[1], array('zip'))) {
move_uploaded_file($_FILES['fupload']['tmp_name'], '../'.DIR_CON.'/uploads/'.$componentName);
if (file_exists('../'.DIR_CON.'/'.$folderinstall.'/'.strtolower($this->postring->valid($_POST['component'], 'xss')))) {
    unlink('../'.DIR_CON.'/uploads/'.$componentName);
    $this->poflash->error($GLOBALS['_']['component_message_3'], 'admin.php?mod=component');
} else {
    $archive = new PoPclZip('../'.DIR_CON.'/uploads/'.$componentName);
    if ($archive->extract(PCLZIP_OPT_PATH, '../'.DIR_CON.'/'.$folderinstall.'/'.strtolower($this->postring->valid($_POST['component'], 'xss'))) == 0) {
        unlink('../'.DIR_CON.'/uploads/'.$componentName);
        $this->poflash->error($GLOBALS['_']['component_message_3'], 'admin.php?mod=component');
    }

Only judge whether the upload is a zip archive, if it is directly decompressed, the directory to be extracted is

$archive->extract(PCLZIP_OPT_PATH, '../'.DIR_CON.'/'.$folderinstall.'/'.strtolower($this->postring->valid($_POST['component'], 'xss'))
@DwiraSurvivor
Copy link
Contributor

Terima kasih untuk temuan ini. Kami sebagai pengembang akan segera memperbaiki masalah ini di versi berikutnya.

@DwiraSurvivor
Copy link
Contributor

DwiraSurvivor commented Dec 18, 2019

Sudah diperbaiki pada versi 3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants