Step1:
Audit the source code "include/Model/Upload.php", line 33, the filename extension can be controlled by modifying variable "upext":
Follow up in "include/Model/File.php", line 75, there is a $this->realpath and find that it comes from $this->path, and $this->path can be passed in through the get parameter (where SYS_ROOT is the root directory of the website):
Here any changes to the variable "upext" or file "Upload.php" can be saved by the method "save" which locates at "include/Model/File.php", line 73:
At this stage, you can add "php" filename extension to the variable "upext" and click "save" to save it:
Step 2:
Next, you can upload any php file to the system:
New a.php file is successfully uploaded:
Once you uploaded file, you can open the file through the path "http://www.taocms.com:9090/a.php", and you can get shell of this system:
This is the latest 3.0.2 version of taocms.
Organize and utilize steps in two steps:
Step1: Audit the source code "include/Model/Upload.php", line 33, the filename extension can be controlled by modifying variable "upext":
Follow up in "include/Model/File.php", line 75, there is a $this->realpath and find that it comes from $this->path, and $this->path can be passed in through the get parameter (where SYS_ROOT is the root directory of the website):
Here any changes to the variable "upext" or file "Upload.php" can be saved by the method "save" which locates at "include/Model/File.php", line 73:
At this stage, you can add "php" filename extension to the variable "upext" and click "save" to save it:
Step 2: Next, you can upload any php file to the system:
New a.php file is successfully uploaded:
Once you uploaded file, you can open the file through the path "http://www.taocms.com:9090/a.php", and you can get shell of this system: