We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log in to the website backend
url:/index.php/admin/passport/login.html
Add php file extension
System -> site config -> upload ->image extension
Upload malicious scripts through the upload interface
Use burp to bypass js detection
Get the path of the uploaded file
Get shell
/application/admin/controller/Upload.php uploadFile()
public function uploadFile() { // 获取表单上传文件 $file = Request::file('file'); $uploadObj = new UploadFile($this->site_id); $ret = $uploadObj->upload($file, 'image'); if ($ret) { return $this->response(200, '上传成功', $ret); } else { return $this->response(201, $uploadObj->getError()); } }
follow up function :upload()
/application/common/model/UploadFile.php According to the 16th line of Upload.php, the second parameter of the upload function is image
/application/common/model/UploadFile.php
According to the 16th line of Upload.php, the second parameter of the upload function is image
image
public function upload($file, $fileType = 'image') { // 验证文件类型及大小 switch ($fileType) { case 'image': $result = $file->check(['ext' => $this->config['upload_image_ext'], 'size' => $this->config['upload_image_size']*1024]); if(empty($result)){ // 上传失败获取错误信息 $this->error = $file->getError(); return false; } break; .....
follow up function: check()
thinkphp/library/think/File.php $rule has been modified to: {ext=> "jpg,png,gif,php", size=>2097152}
thinkphp/library/think/File.php
$rule has been modified to: {ext=> "jpg,png,gif,php", size=>2097152}
{ext=> "jpg,png,gif,php", size=>2097152}
public function check($rule = []) { $rule = $rule ?: $this->validate; if ((isset($rule['size']) && !$this->checkSize($rule['size'])) || (isset($rule['type']) && !$this->checkMime($rule['type'])) || (isset($rule['ext']) && !$this->checkExt($rule['ext'])) || !$this->checkImg()) { return false; } return true; }
File size will not exceed the maximum,php in the whitelist of file extensions,$rule['type'] is not set,then follow the function:checkImg()
php
$rule['type']
public function checkImg() { $extension = strtolower(pathinfo($this->getInfo('name'), PATHINFO_EXTENSION)); /* 对图像文件进行严格检测 */ if (in_array($extension, ['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']) && !in_array($this->getImageType($this->filename), [1, 2, 3, 4, 6, 13])) { $this->error = 'illegal image files'; return false; } return true; }
The value of variable $extension is php,so the first half of the conditional statement is false. The function named checkImg returns true,and function check() return true.
The value of variable $extension is php,so the first half of the conditional statement is false.
The function named checkImg returns true,and function check() return true.
check()
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Log in to the website backend
url:/index.php/admin/passport/login.html
Add php file extension
System -> site config -> upload ->image extension
Upload malicious scripts through the upload interface
Get the path of the uploaded file
Get shell
Code audit
/application/admin/controller/Upload.php uploadFile()
follow up function :upload()
follow up function: check()
The text was updated successfully, but these errors were encountered: