Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Upload #4

Closed
JuneRainBlog opened this issue Jun 2, 2020 · 3 comments
Closed

File Upload #4

JuneRainBlog opened this issue Jun 2, 2020 · 3 comments

Comments

@JuneRainBlog
Copy link

JuneRainBlog commented Jun 2, 2020

Describe the bug
Upload php files to control the target server

Exploit vulnerability :
Upload malicious PHP file here:
url:127.0.0.1/root/run/adm.php?
PHP file name: 2.php+ 1.jpg

image
image

Use Burpsuite,modify Hex 20 -> 00:
before modification:
image

after modification:
image

connect PHP file:
127.0.0.1//xvars/dtmp/@udoc/7b443e5134f395f674ca890ce982e8fd/2020-5w-pja9.php+
image
image

The Vuln-src-code:
imcat\core\clib\comUpload.php -> checkType() -> strpos(),because strpos() can not match .php+
imcat\core\clib\comUpload.php -> upEnd() -> in_array() , because In_array() is only used for checking filename whether or not have jpg. ,so we can upload 1.php+ .jpg to bypass filtering.

image
image

Credit: @chaitin Tech.

@peacexie
Copy link
Owner

peacexie commented Jun 5, 2020

Thanks!

Replace the file imcat\core\clib\comUpload.php as attachments;
Can it stop you from attacking?

comUpload.zip

@JuneRainBlog
Copy link
Author

Yes!already fixed.

@peacexie
Copy link
Owner

peacexie commented Jun 5, 2020

OK, I fixed it in the master branch already.

@peacexie peacexie closed this as completed Jun 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants