MetInfo 鸡肋getshell

1. 发布时间：2017-01-02
2. 公开时间：N/A
3. 漏洞类型：文件上传
4. 危害等级：高
5. 漏洞编号：xianzhi-2017-01-73318655
6. 测试版本：N/A

---

漏洞详情

app/system/include/module/uploadify.class.php 65行

public function doupfile(){
        global $M;
        $this->upfile->set_upfile();
        $info['savepath'] = $_M['form']['savepath'];
        $info['format'] = $_M['form']['format'];
        $info['maxsize'] = $_M['form']['maxsize'];
        $info['is_rename'] = $_M['form']['is_rename'];
        $info['is_overwrite'] = $_M['form']['is_overwrite'];
        $this->set_upload($info);
        $back = $this->upload($_M['form']['formname']);
        if($_M['form']['type']==1){
            if($back['error']){
                $back['error'] = $back['errorcode'];
            }else{
                $backs['path'] = $back['path'];
                $backs['append'] = 'false';
                $back = $backs;
            }
        }
        echo jsonencode($back);
    }

$_M['form']来自$(POST|GET|COOKIE)
savepath可控导致且当目录不存在时自动新建 导致IIS6下解析漏洞getshell

测试方法

format:

maxsize:

is_rename:

is_overwrite:

formname:

选择一个后缀在上面列表中的马submit即可
返回带路径 直接用

view.png