Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a Arbitrary File Upload vulnerability that can upload a php file and be executed. #13

Open
Tazkimi opened this issue Nov 8, 2019 · 0 comments

Comments

@Tazkimi
Copy link

Tazkimi commented Nov 8, 2019

you can upload any file as avatar at " /index.php?m=user&a=avatar". Althought the server's response show that you are fail to set avatar, but the file was uploaded,And the file can be easily to locate by uid which shows in your cookies.

/action/Core.class.php

 public function upload() {
        if (!$_REQUEST['uid']) {
            echo Response::json(LACK, array(tip('用户ID不能为空')));
            exit;
        }
        $_REQUEST['name'] = self::filterName(rawurldecode(self::trimSpace($_REQUEST['name'])));
        if (!$_REQUEST['name']) {
            echo Response::json(LACK, array(tip('文件名不能为空')));
            exit;
        }
        if (!$_REQUEST['type']) {
            if (!file_exists(DATA_DIR)) {
                $res = mkdir(DATA_DIR, 0777, true);
                if (!$res) {
                    echo Response::json(FAIL, array(tip('存储目录创建失败')));
                    exit;
                }
            }
        }
        if (!file_exists(UP_DIR)) {
            $res = mkdir(UP_DIR, 0777, true);
            if (!$res) {
                echo Response::json(FAIL, array(tip('存储目录创建失败')));
                exit;
            }
        }
        include LIB_PATH . 'plupload' . DS . 'PluploadHandler.php';
        PluploadHandler::no_cache_headers();
        PluploadHandler::cors_headers();
        if (!PluploadHandler::handle(array(
            'target_dir' => UP_DIR,
            //'allow_extensions' => 'jpg,jpeg,png'
        ))) {
            echo Response::json(FAIL, array(tip('上传失败')));
            exit;
        } else {
            echo Response::json(SUCC, array(tip('上传成功')));
        }
    }

if I logined uid is 185 and my upload filename is backdoor.php. Then http://mywebsite.com/files/18/05/backdoor.php is my really backdoor.

what's more:
I think the line "//'allow_extensions' => 'jpg,jpeg,png'" is not good to be commented.

@Tazkimi Tazkimi changed the title There is a Arbitrary File Upload vulnerability that can upload a php file and be excuted. There is a Arbitrary File Upload vulnerability that can upload a php file and be executed. Nov 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant