Hpdoger's Blog.

Arbitrary File upload in Semcms V2.7

Word count: 169 / Reading time: 1 min
2018/08/23 Share

Explain

php Background pages restrict the type of uploaded files, jpe, gif, rar,we can break through the restrictions on uploading malicious files such as: PHP.

Code

The affected code(located:/ciuy_Admin/SEMCMS_Upfile.php):

1
$newname=test_input($_POST["wname"]).".".end($uptype)

We could control the “wname” as we want,and uptype is the suffix which intercepted in allow

Founction

The attaking founction:use char(0) to cut off the filename and make up a renew suffix

The affected page located in admin’s management page:ciuy_Admin/SEMCMS_Upfile.php

Reappearance

First,we define our evil php’s suffix as test.rar(which is allowed) and post it as follow.There,we could see no files in the Folder

Second,we change the php as php0x00 and the effection as :

final effection and poc:

Then, we could see the test.php in the folder:

Finally, we could use tools (Cknife) to link the evil php

summary

This is a background getshell process. The required PHP version is less than 5.3

CATALOG
  1. 1. Explain
  2. 2. Code
  3. 3. Founction
  4. 4. Reappearance
  5. 5. summary