New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zfaka Backend RCE(All version) #260
Comments
|
Use PHP7.2+ |
|
thanks you are so nice
|
in the background file upload, Zfaka only has one JS check in \public\res\layui\lay\modules\upload.js
there is no filtering for the file extension, and there is only one front-end JS verification, So disabling JS can directly implement the background rce
The controller of upload in the background is located in \application\modules\Admin\controllers\Products.php
The upload path will not be returned after the file is uploaded, but we already know the upload path and the naming rules of the uploaded file
UPLOAD_ Path is defined as follows
CUR_ Date is defined as follows
file name
Taking 21:05 as an example, the output results are as follows
Take 21:05:44 on May 26, 2021 as an example
The full file path is
http://www.xxx.com/res/upload/2021-05-26/210444.phpConstruct form directly
At the same time, you need to add referers: http://xxx.top/Admin/products/imgurl/?id=1 , and modify the
Otherwise, "please select product ID" will be prompted
Finally, the complete upload HTTP request is as follows
Direct upload succeeded
Then run the last seconds with burpsuite intruder
After all, the number of seconds can't be so accurate
The text was updated successfully, but these errors were encountered: