VULHUB ™

### 简要描述： 第二集 ### 详细说明： espcms后台可以在后台把php设为允许的图片类型，然后在广告位上传图片处上传shell(此处方便演示，用了phpinfo) 1.在后台把php文件设为允许的图片类型 ``` http://127.0.0.1/espcms/adminsoft/index.php?archive=management&action=syssetting&listfunction=syssetting&groupid=&iframeheightwindow=621&iframewidthwindow=1430 ``` [<img src="https://images.seebug.org/upload/201306/04201505f51da6817582ab776ff801ef36cd0684.jpg" alt="a01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/04201505f51da6817582ab776ff801ef36cd0684.jpg) 2.广告位添加图片处，上传shell ``` http://127.0.0.1/espcms/adminsoft/index.php?archive=advertmain&action=advertadd&atid=1&type=add&freshid=0.8400494705419987&iframename=jerichotabiframe_0&iframeheightwindow=621&iframewidthwindow=1245 ``` [<img src="https://images.seebug.org/upload/201306/042016253a392f0a3a94b6b0e1e1714a41ad12d6.jpg" alt="a02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/042016253a392f0a3a94b6b0e1e1714a41ad12d6.jpg)...

### 简要描述： 第二集 ### 详细说明： espcms后台可以在后台把php设为允许的图片类型，然后在广告位上传图片处上传shell(此处方便演示，用了phpinfo) 1.在后台把php文件设为允许的图片类型 ``` http://127.0.0.1/espcms/adminsoft/index.php?archive=management&action=syssetting&listfunction=syssetting&groupid=&iframeheightwindow=621&iframewidthwindow=1430 ``` [<img src="https://images.seebug.org/upload/201306/04201505f51da6817582ab776ff801ef36cd0684.jpg" alt="a01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/04201505f51da6817582ab776ff801ef36cd0684.jpg) 2.广告位添加图片处，上传shell ``` http://127.0.0.1/espcms/adminsoft/index.php?archive=advertmain&action=advertadd&atid=1&type=add&freshid=0.8400494705419987&iframename=jerichotabiframe_0&iframeheightwindow=621&iframewidthwindow=1245 ``` [<img src="https://images.seebug.org/upload/201306/042016253a392f0a3a94b6b0e1e1714a41ad12d6.jpg" alt="a02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/042016253a392f0a3a94b6b0e1e1714a41ad12d6.jpg) 3.看看成果 [<img src="https://images.seebug.org/upload/201306/04201708b338bbdda84311175736da87fa49d046.jpg" alt="a03.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/04201708b338bbdda84311175736da87fa49d046.jpg) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201306/04201708b338bbdda84311175736da87fa49d046.jpg" alt="a03.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/04201708b338bbdda84311175736da87fa49d046.jpg)