You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability description
The CMS background content management editor has a file uploading vulnerability. By modifying the background file upload parameter: the "Allow upload file suffix" section, you can bypass the restrictions on php file upload by cms, and then pass the Trojan horse and the getshell poc
1.Login to the backstage as the admin;
2.add the value 'php' into 'upload_file_ext' which is a cms parameter use to limit upload suffix.(Note: use two 'php' to bypass limit eg: php,php)
url: admin.php/admin/configset/index/group/upload.html
3.Go to any page editing section,choose the upload function.
First,Modify the suffix of a PHP Trojan to .txt(Note: For pass the limit)
Second,click the button to save the upload file
Next,Use BURPSUITE for packet capture and modification,modify the suffix to .php,add some arbitrarily string before the file content(Note:For pass the file head check),and then upload it!
4.The last step,connection the trojan
Success!
The text was updated successfully, but these errors were encountered:
Vulnerability description
The CMS background content management editor has a file uploading vulnerability. By modifying the background file upload parameter: the "Allow upload file suffix" section, you can bypass the restrictions on php file upload by cms, and then pass the Trojan horse and the getshell
poc
1.Login to the backstage as the admin;
2.add the value 'php' into 'upload_file_ext' which is a cms parameter use to limit upload suffix.(Note: use two 'php' to bypass limit eg: php,php)
![2](https://user-images.githubusercontent.com/37264975/43495818-c0c6e880-956c-11e8-8f82-1cd3fd476aec.png)
![3](https://user-images.githubusercontent.com/37264975/43495985-69e9bc62-956d-11e8-9b26-a1a3d99f637b.png)
url: admin.php/admin/configset/index/group/upload.html
3.Go to any page editing section,choose the upload function.
![4](https://user-images.githubusercontent.com/37264975/43496181-907d9e92-956e-11e8-96f0-a861b3fdb3d8.png)
![5](https://user-images.githubusercontent.com/37264975/43496185-936e0510-956e-11e8-8ecd-bf5e3d230cac.png)
![6](https://user-images.githubusercontent.com/37264975/43496190-965092fc-956e-11e8-80ca-c2a49f542ed3.png)
![7](https://user-images.githubusercontent.com/37264975/43496191-98af20f4-956e-11e8-8e94-8b064e6330d9.png)
First,Modify the suffix of a PHP Trojan to .txt(Note: For pass the limit)
Second,click the button to save the upload file
Next,Use BURPSUITE for packet capture and modification,modify the suffix to .php,add some arbitrarily string before the file content(Note:For pass the file head check),and then upload it!
4.The last step,connection the trojan
![8](https://user-images.githubusercontent.com/37264975/43496209-baa87638-956e-11e8-8e2d-da849aa68098.png)
![9](https://user-images.githubusercontent.com/37264975/43496211-bcf878d4-956e-11e8-9e61-1b293c705697.png)
Success!
The text was updated successfully, but these errors were encountered: