• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

FastAdmin前台文件上传漏洞讲解


Recommended Posts

漏洞点:application \ api \ controller \ Common.php 触发突破的网址:/ index / ajax / upload 要求:application \ extra \ upload.php里的chunking为true(分片上传为true)
v2-1f684953bc488f2de0de3242e58a9666_720w
复现过程
脆弱点分析 需要包括以下的post请求参数才行 1.chunkid参数 2.action参数 3.chunkindex参数 4.chunkcount参数 5.filename参数
v2-6cf2a7382fdf81f20ab7978506363dd9_720w
调用chunk函数chunk($ chunkid,$ chunkindex,$ chunkcount);进入分片文件上传
v2-839b3e83a681daaf0e3035ae180f909a_720w
跟进chunk函数, 1.首先$ destDir = RUNTIME_PATH / chunks路径,RUNTIME = ROOT_PATH。'运行' 。DS(DS =根据系统的文件分隔符)
v2-df42bd78bde638920011e010d9e5c9c4_720w
2. $ fileName = $ chunkid- $ chunindex.part // $ chunkid和$ chunindex都可控 3. $ destDir = $ destDir.DS。$ fileName //放入最后文件路径 4.判断RUNTIME_PATH / chunks路径是否存在,不存在则创建文件夹 5.将临时文件移动到RUNTIME_PATH / chunks路径下
v2-140b28563079a3605e5662228a86cff9_720w
之后触发合并函数,写shell 要求action参数为合并
v2-3b1bda053c974b23d98198538de1cc7e_720w
首先chunkDir变量来自于下图 $ chunkDir = RUNTIME_PATH。“块”
v2-adae85d7a04c107f3713c3562e85dcee_720w
1. $ filePath = RUNTIME_PATH 'chunks'.DS。$ chunkid // $ chunkid参数可控 2.根据$ chunkcount变量进行循环 3.判断$ filePath- $ i-.part文件是否存在 4.如果文件存在,在/ runtime / chunks路径下创建以$ filepath作为文件名的文件$ destFile = @ fopen($ uploadPath,“ wb”) 5.锁定文件 6.根据$ chunkcount参数循环// $ chunkcount参数可控 7. $ partFile = $ filePath- $ i -.part 8.循环读取$ partFile内容,写入文件到$ filepath 9.读取完文件后,删除分片文件,释放文件锁定,关闭文件句柄
v2-ce074d8e2d1fa73345018f977a3a9438_720w
v2-f912bb4e1c0b3b4c857f6031fa5d78c8_720w
exp分析:
v2-83d398516641cdd2c94485822d5d834d_720w
v2-32c667cb55f6b602558f6213e9fb2ed9_720w
v2-31bab642655ae47c1ff0d0bced3d9cf4_720w
还有这里的shell地址为什么是根目录,因为这个exp是这么写的
v2-23545bde11dba75404c5fd048b64c14b_720w
参考链接
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now