Edit the background, the bottom option将远程文件保存到本地, Vulnerable code:
When modifying an article or adding an article, you chose to load a remote file locally,It will enter the functiongrab_image() , which matches the img tag in the article content, extracts the link and saves it in $ val = $ value, and then uses strpos to determine whether there is http in the link. If not, it returns directly (indicating that this is not an external network image link).
Then read the first dot from right to left as the segmentation to get the suffix name, and then check the suffix on the white list. The suffix name here can be bypassed by 1.php? 2.jpg. Then there are vulnerabilities
readfile reads the file content and saves it to a jpg file. If readfile reads a file with warning or error, it will jump to the error handling function.
payload:
You can probe the intranet port and ip here.
At the same time, here is also a file reading vulnerability, but reading php files may report an error. Try reading config.php because the YZMPHP_PATH variable is not declared and an error is reported.
The text was updated successfully, but these errors were encountered:
后台编辑文章处,最下方选项

将远程文件保存到本地,漏洞代码在yzmphp/core/function/global.func.php#grab_image()当修改文章或者添加文章时选择了将远程文件加载到本地,则会进入grab_image函数,正则匹配文章内容中的img标签,提取出链接保存在$val=$value,然后通过
strpos判断链接中是否有http,如果没有则直接返回(说明这不是外网图片链接)。接着从右往左读取第一个点号作为分割,得到后缀名,然后白名单校验后缀,此处的后缀名可以通过
1.php?2.jpg来绕过。接着出现漏洞点readfile读取文件内容,然后保存到jpg文件。如果readfile读取文件有warning或者error,就会跳转到错误处理函数。payload:
可通过此处探测内网端口及ip。
同时,此处也是一个文件读取漏洞,只是读取php文件有可能会报错,尝试读取config.php,因为YZMPHP_PATH变量没有声明而报错。
Edit the background, the bottom option

将远程文件保存到本地, Vulnerable code:When modifying an article or adding an article, you chose to load a remote file locally,It will enter the functiongrab_image() , which matches the img tag in the article content, extracts the link and saves it in $ val = $ value, and then uses
strposto determine whether there is http in the link. If not, it returns directly (indicating that this is not an external network image link).Then read the first dot from right to left as the segmentation to get the suffix name, and then check the suffix on the white list. The suffix name here can be bypassed by
1.php? 2.jpg. Then there are vulnerabilitiesreadfilereads the file content and saves it to a jpg file. Ifreadfilereads a file with warning or error, it will jump to the error handling function.payload:
You can probe the intranet port and ip here.
At the same time, here is also a file reading vulnerability, but reading php files may report an error. Try reading config.php because the YZMPHP_PATH variable is not declared and an error is reported.
The text was updated successfully, but these errors were encountered: