Reprinted indicate the
zend encoding and decryption is not complete, do not bother to look at the code, use a Tamper or the like of the plug-in test of the POST parameters, it's$sFile = $oFile['name'];filtering too fool, looks like the 5th version after you modify a function. This is a members private messages upload attachment vulnerability, the problem is in the pms. php on the, the specific code analysis too lazy to long-winded, the POC would not let, all know.
Directly said method:
1: The register. php register an account
2: Open the pms. php? action=send&mytype=1
3: the back to write your own registered Membership account, WIN APACHE+IIS 传 .php;the php file, LINUX pass. php5;php,tick the"Save to Outbox [after the completion of Ctrl+Enter to publish] the" point to determine the
5: After completion it will automatically jump to the Outbox, or your own, to view just the message, the point of attachment to download, it will prompt can not find the file, right-click Copy URL, and append;php is a complete SHELL address.
Before seen 5. 0 vulnerability is also shown in the upload above, the release of the POC is too wordy, and don't know I this pms. php will not be in the other versions on the pass to kill the use, the air-who studied under told me.