GV32-CMS latest V5.6.4 foreground getshell

GV32-CMS latest V5.6.4 foreground getshell

GV32-CMS latest V5.6.4 foreground getshell

 

#1. Lines 11-96 of the application \ user \ upload. php file

// File Upload uploadfile (); function uploadfile () {$ configUp = array (); $ configUp ['type'] = array ("flash", "img "); // upload the allowed type value $ configUp ['img '] = array ("jpg", "bmp", "gif", "png "); // img allows the suffix $ configUp ['flash'] = array ("flv", "swf "); // flash allows the suffix $ configUp ['Office '] = array ("doc", "docx", "docm", "dotx", "dotm", "xls ", "xlsx", "xlsm", "xltm", "xlsb", "xlam", "csv", "xlw", "wk4", "wk3", "wk1 ", "wks", "dbf", "ppt", "pptx", "pptm", "ppsx", "potx", "Potm", "ppam"); // office allows suffix if (MAX_UPSIZE! = '') {$ ConfigUp ['Flash _ size'] = MAX_UPSIZE; // The maximum size of the uploaded flash. Unit: KB $ configUp ['img _ size'] = MAX_UPSIZE; // The maximum size of the uploaded img is KB} else {$ configUp ['Flash _ size'] = 1000; // The maximum size of the uploaded flash is: KB $ configUp ['img _ size'] = 2000; // maximum size of uploaded img in KB} $ configUp ['message'] = "uploaded "; // The message displayed after the upload is successful. If it is null, $ configUp ['name'] = mktime () is not displayed (); // the uploaded file naming rules are named as if (BASE_WEBURL! = '') {$ ConfigUp ['Flash _ dir'] = BASE_WEBURL. "/uploads/flash"; // upload the flash file address with an absolute address to facilitate upload. "/" $ configUp ['img _ dir'] = BASE_WEBURL is not added after the PHP file is placed in any location of the site. "/uploads/img"; // upload the imgfile address with an absolute address. Use an absolute address to facilitate upload. "/"} else {$ configUp ['Flash _ dir'] = "/uploads/flash" is not added after the PHP file is placed in any location of the station "; // upload the flash file address with an absolute address to facilitate upload. "/" $ configUp ['img _ dir'] = "/uploads/img" is not added after the PHP file is placed in any location of the site "; // upload the imgfile address using an absolute address and an absolute address to facilitate upload. PHP files placed on the site "/"} If (IMG_URL! = '') {$ ConfigUp ['site _ url'] = IMG_URL; // The website url, which is related to the uploaded image address, is not added. "/" can be left blank.} else {$ configUp ['site _ url'] = ""; // The website URL, which is related to the uploaded image address, is not added. "/" can be left blank.} // determine whether the call is illegal. if (empty ($ _ GET ['ckeditorfuncnum'] )) mkhtml (1, "", "incorrect function call request"); $ fn = $ _ GET ['ckeditorfuncnum']; if (is_uploaded_file ($ _ FILES ['upload'] ['tmp _ name']) {// determine whether to allow $ filearr = pathinfo ($ _ FILES ['upload'] ['name']); $ filetype = $ filearr ["extension"]; if (! In_array ($ filetype, $ configUp ['img ']) mkhtml ($ fn, "", "incorrect file type! "); // Determine whether the file size meets the requirements. if ($ _ FILES ['upload'] ['SIZE']> $ configUp [" img_size "] * 1024) mkhtml ($ fn, "", "the uploaded file cannot exceed ". $ configUp ["img_size"]. "KB! "); $ File_abso = $ configUp [" img_dir "]. "/". $ configUp ['name']. ". ". $ filetype; $ file_host = $ _ SERVER ['document _ root']. $ file_abso; if (move_uploaded_file ($ _ FILES ['upload'] ['tmp _ name'], $ file_host) {mkhtml ($ fn, $ file_abso, $ configUp ['message']);} else {mkhtml ($ fn, "", "File Upload Failed. Check the upload directory settings and directory read/write permissions ");}}} // output js call function mkhtml ($ fn, $ fileurl, $ message) {echo $ str = '<script type = "text/javascript"> window. parent. CKEDITOR. tool S. callFunction ('. $ fn. ',\''. $ fileurl. '\',\''. $ message. '\'); </script> '; exit ($ str) ;}?> If (! In_array ($ filetype, $ configUp ['img ']) determines the file type array $ configUp ['img'] = array ("jpg", "bmp ", "gif", "png ");

Then, the js call output is very good. Just capture the package and modify the format and upload it.





#2 exploitation methods

#1 register an account first

#2 Home> User center> basic information Avatar Upload File Packet Capture and Change Package upload

Google keywords: Powered by GV32.COM find about 19,300 results (in 0.29 seconds)

If you have a certain number of users, you can test it on the same site.



# Http://engleeagro.com/register an account, and then upload the Avatar to capture packets

The package is uploaded successfully:
 

 

Solution:

Enhanced verification