Tongda OA getshell vulnerability analysis attachment EXP

Author:
PrivateUpload. php file under general/vmeet/
Let's look at the code
 
Include_once ("inc/conn. php"); // contains the conn. php file
Include_once ("inc/utility_file.php"); // contains the file utility_file.php
Ob_end_clean (); // clear the buffer
$ UploadFileName = $ _ FILES ['filedata'] ['name']; // get the Upload File name
$ UploadFile = $ _ FILES ['filedata'] ['tmp _ name']; // obtain the address of the uploaded temporary file
$ UploadFileName = iconv ("UTF-8", $ mya_charset, $ uploadFileName); // convert file name encoding, unified UTF-8
If (is_uploaded_file ($ uploadFile) // check whether a file has been uploaded. if a temporary file exists, run the following statement:
{
$ Pos = strrpos ($ uploadFileName, "."); // obtain the location where the file name contains the point at the best.
$ Len = strlen ($ uploadFileName); // get the Object Name Length
$ ExtendType = substr ($ uploadFileName, $ pos, $ len); // obtain the final file name
If (strtolower ($ extendType) = ". php") // judge whether the suffix is. php. if it is. php, It is not executed. if it is not, continue to execute the following statement.
{
Echo "upload file fobidden ";
Exit ();
}
$ LocalFileName = $ _ GET ['filename']; // the file name Acquisition Vulnerability occurs here.
$ ZLCHAT_ATTACH = "upload/"; // upload directory
$ LocalFile = "{$ ZLCHAT_ATTACH}/temp/". $ localFileName; // upload location, where $ localFileName is a controllable variable
If (! Td_move_uploaded_file ($ uploadFile, $ localFile) // upload the file here.
{
Echo "upload failed ";
}
}
?>
 
 
This is an explanation of the above Code. Let's see how we can bypass this process to win the webshell?
First, we must understand .... The system uses the apache server. The apache server has a parsing vulnerability, that is, when such a file (1. php.222) is encountered, it will parse the file as php.
We use this vulnerability to bypass the above detection suffix.
So we only need to upload a file with a non-php suffix, and then we can customize a file with a suffix of 1. php.111. The upload directory tells us again, so we can easily get a webshell.
This is my local Test Result

The following is an example of using exp.
Save the following code as 1.html. If you need to test the code, you only need to change 192.168.56.139 to your target site.
Put exp here