shopxo icon indicating copy to clipboard operation
shopxo copied to clipboard

Published 20 hours ago verified publisher icon gongfuxiang

There is a File upload vulnerability that can getshell

Open lavon321 opened this issue 4 years ago • 0 comments

The file upload vulnerability here lies in the blacklist method used when verifying the suffix of the uploaded file. This verification method is not strict and is often bypassed by attackers in various ways The PluginsUpload method in the application\service\PluginsAdminService.php file has a file creation operation, in which the input of the file_put_contents function is controllable image Line 1072 checks the file suffix name, here is the blacklist check image The value in the private static variable $exclude_ext is ‘.php’, which can easily be bypassed image There are many ways to bypass the blacklist verification of suffix names. Taking my local Windows system environment as an example, you can upload file names that do not conform to the Windows file naming rules

shell.php::$DATA shell.php::$DATA……. shell.php. shell.php(空格) shell.php:1.jpg

The windows system will automatically remove the content behind the symbols that do not conform to the rules. You can change the file suffix in the linux environment and upload it to the website Through the audit of the PluginsUpload method in the PluginsAdminService.php file When the zip archive does not match the resource directory, it will jump out of the loop of reading the archive file image image image And the resource directory cannot be controller, because the directory corresponding to controller exists, and the compressed package will be closed directly without entering the subsequent file writing operation image Finally, the method is called in the Upload method of the application\admin\controller\Pluginsadmin.php file image

The attacker can upload such a compressed package after logging into the background system image And upload the compressed package at Application Center -> Application Management -> Upload Application image Visit public\static\upload\file_uploadfile_\shell.php image

In application\service\ThemeService.php there is also the same blacklist verification problem for uploaded files image The processing logic is very similar to the above file After logging in to the system, upload the zip archive at the site management -> theme management -> theme installation image Visit public\static\index\test.php after uploading image

lavon321 avatar Sep 21 '20 11:09 lavon321