New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getshell via upload function #335
Comments
|
Well, one |
timbuckingham
added a commit
that referenced
this issue
Apr 30, 2018
|
Thank you! I've updated the Storage class regex to reject htaccess files. |
|
CVE-2018-10574 has been assigned for this vulnerability. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
prerequisite
In the configuration of Apache,
AllowOverrideshould beAllfor web directories so thathtaccessin sub-directories can take effect. However, it is very easy to satisfy because the URL rewrite function also needs it.Rationale
Since BigTree needs to ensure the compatibility, it has to use blacklist to filter the extensions of uploaded files. However, while we cannot upload files ended with "ph*", we can upload some files to change the rule of parsing.
Actually, we can upload a
.htaccessto the server to make any files in the same directory executed as php files.Reproduction
1. Preparation
Prepare two files. One is a file named as
haozheor whatever you want. The other one is.htaccessIn
haozhe:In
.htaccess:Upload Two files
In the page of http://xx/bt3/site/index.php/admin/trees/add/ , click
Browsebutton to upload a file. Upload these two files.It works!
The text was updated successfully, but these errors were encountered: