MetInfo 鸡肋getshell

  1. 发布时间:2017-01-02
  2. 公开时间:N/A
  3. 漏洞类型:文件上传
  4. 危害等级:高
  5. 漏洞编号:xianzhi-2017-01-73318655
  6. 测试版本:N/A

漏洞详情

app/system/include/module/uploadify.class.php 65行

public function doupfile(){
        global $M;
        $this->upfile->set_upfile();
        $info['savepath'] = $_M['form']['savepath'];
        $info['format'] = $_M['form']['format'];
        $info['maxsize'] = $_M['form']['maxsize'];
        $info['is_rename'] = $_M['form']['is_rename'];
        $info['is_overwrite'] = $_M['form']['is_overwrite'];
        $this->set_upload($info);
        $back = $this->upload($_M['form']['formname']);
        if($_M['form']['type']==1){
            if($back['error']){
                $back['error'] = $back['errorcode'];
            }else{
                $backs['path'] = $back['path'];
                $backs['append'] = 'false';
                $back = $backs;
            }
        }
        echo jsonencode($back);
    }

$_M['form']来自$(POST|GET|COOKIE)
savepath可控导致且当目录不存在时自动新建 导致IIS6下解析漏洞getshell

测试方法


format:
maxsize:
is_rename:
is_overwrite:
formname:

选择一个后缀在上面列表中的马submit即可
返回带路径 直接用


view.png

你可能感兴趣的:(MetInfo 鸡肋getshell)