The Vuln-src-code:
imcat\core\clib\comUpload.php -> checkType() -> strpos(),because strpos() can not match .php+
imcat\core\clib\comUpload.php -> upEnd() -> in_array() , because In_array() is only used for checking filename whether or not have jpg. ,so we can upload 1.php+ .jpg to bypass filtering.
Describe the bug
Upload php files to control the target server
Exploit vulnerability :
Upload malicious PHP file here:
url:127.0.0.1/root/run/adm.php?
PHP file name: 2.php+ 1.jpg
Use Burpsuite,modify Hex 20 -> 00:

before modification:
after modification:

connect PHP file:


127.0.0.1//xvars/dtmp/@udoc/7b443e5134f395f674ca890ce982e8fd/2020-5w-pja9.php+
The Vuln-src-code:
imcat\core\clib\comUpload.php -> checkType() -> strpos(),because strpos() can not match .php+
imcat\core\clib\comUpload.php -> upEnd() -> in_array() , because In_array() is only used for checking filename whether or not have jpg. ,so we can upload 1.php+ .jpg to bypass filtering.
Credit: @chaitin Tech.
The text was updated successfully, but these errors were encountered: