cve's People
Watchers
cve's Issues
File Upload vulnerability in PHPOK 5.7.140
File Upload vulnerability in PHPOK 5.7.140
PoC
Enter the background and switch to development mode in the upper right corner
Click Install Application - Import and upload a zip-compressed php file
# 1.php
<?php phpinfo();?>
After easily completing the upload, visit the path _app/ and find what we uploaded
This creates a serious file upload vulnerability
Analysis
The upload first calls the zip function without any censorship or filtering of its contents, thus resulting in an arbitrary file upload
/**
* 制作压缩包
* @参数 $dir,支持单个文件,目录及数组
* @参数 $saveName,保存的ZIP文件名
**/
public function zip($dir, $saveName)
{
if(@!function_exists('gzcompress')){
return false;
}
ob_end_clean();
$filelist = array();
if(is_array($dir)){
$filelist = $dir;
}else{
if(!file_exists($dir)){
return false;
}
if(is_file($dir)){
$filelist = array($dir);
}else{
$this->filelist($filelist,$dir);
}
}
if(count($filelist) < 1){
return false;
}
if(class_exists('ZipArchive')){
$obj = new ZipArchive();
$obj->open($saveName,ZipArchive::OVERWRITE|ZipArchive::CREATE);//创建一个空的zip文件
foreach($filelist as $file){
if(!file_exists($file) || !is_file($file)){
continue;
}
$name = substr($file,strlen($this->dir_root));
$obj->addFile($file,$name);
}
$obj->close();
return true;
}
foreach($filelist as $file){
if(!file_exists($file) || !is_file($file)){
continue;
}
$fd = fopen($file, "rb");
$content = @fread($fd, filesize($file));
fclose($fd);
$file = substr($file, strlen($this->dir_root));
if(substr($file, 0, 1) == "\\" || substr($file, 0, 1) == "/"){
$file = substr($file, 1);
}
$this->addFile($content, $file);
}
$out = $this->file();
$fp = fopen($saveName, "wb");
fwrite($fp, $out, strlen($out));
fclose($fp);
}
After uploading the zip, unzip was called to decompress it, again without any filtered review content
public function unzip($file,$to='')
{
if(class_exists('ZipArchive')){
$zip = new ZipArchive;
$zip->open($file);
$zip->extractTo($to);
$zip->close();
return true;
}
...
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.