there is a File upload attack vulnerability #8
Description
there is a File upload attack vulnerability,It can lead to arbitrary uploading of PHP script files.
The location of the vulnerability is in http://ip/public/admin,where the content editing function is.
Let's see the code:
There are two problems:
- The uploaded file detection is not strict, only the content-type is detected, and even the file suffix is not detected, which causes us to modify the content-type when uploading to bypass the upload php file.
- File processing logic vulnerabilities, although there is a file abbreviated processing, but when uploading a sentence Trojan with a jpg file header, the server will not return the address, but the file is already stored on the server, so the file upload can be achieved.
In addition, although the CMS detects and filters uploaded files, it will be automatically commented out if it matches <?php .
such as:
but We can bypass with short tags,such as:
- Use <?= instead of <?php
- Use <script language='php'></script> to bypass
My exploit is as follows:
Let's test it out.
as we can see,The PHP Trojan has been successfully uploaded and validated.