You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
log into the background of the site
url: /index.php/admin/passport/login.html
Add vulnerability URL
url: /index.php/admin/Template/fileedit
Convert to a POST request
let contract
Access index.php generated in the root directory
url: /index.php?a=whoami
Code audit
The vulnerability file is located at: /application/admin/controller/Template.php -> fileedit()
$path and $html We controlled,$rootpath Path splicing
And the PATH variable can be passed through .. / directory
The variable HTML is written to our PHP code
The HTML is decoded, but it has no effect on the PHP code
So we can find an existing file to overwrite the writing.
POST payload is:
path=../../index.php&html=(you php code)
Finally, the command is executed at index.PHP
The text was updated successfully, but these errors were encountered:
url: /index.php/admin/passport/login.html
url: /index.php/admin/Template/fileedit
Convert to a POST request
let contract
url: /index.php?a=whoami
Code audit
The vulnerability file is located at: /application/admin/controller/Template.php -> fileedit()
$path and $html We controlled,$rootpath Path splicing
And the PATH variable can be passed through .. / directory
The variable HTML is written to our PHP code
The HTML is decoded, but it has no effect on the PHP code
So we can find an existing file to overwrite the writing.
POST payload is:
path=../../index.php&html=(you php code)
Finally, the command is executed at index.PHP
The text was updated successfully, but these errors were encountered: