Veno File Manager 任意文件上传
@TOC
正文
漏洞代码 /vfm-admin/chunk.php 第134行 关键代码:
$chunk->createFileFromChunks( $_GET['loc'], $temp_dir, $resumableFilename, $_POST['resumableChunkSize'], $_POST['resumableTotalSize'], $_GET['logloc'] ); PHPCopy 跟进createFileFromChunks函数 /vfm-admin/class.php 第4383行 关键代码:
public function createFileFromChunks($location, $temp_dir, $fileName, $chunkSize, $totalSize, $logloc) { global $chunk; $upload_dir = str_replace('\', '', $location); $extension = File::getFileExtension($fileName); // count all the parts of this file $total_files = 0; $finalfile = FileManager::safeExtension($fileName, $extension); //忽略 PHPCopy 跟进safeExtension函数 /vfm-admin/class.php 第1707行 完整代码:
public static function safeExtension($name, $extension) { $evil = array( 'php','php3','php4','php5','htm','html','phtm','phtml', 'shtm','shtml','asp','pl','py','jsp','sh','cgi','htaccess', 'htpasswd','386','bat','cmd','pl','ddl','bin' ); //黑名单 if (in_array($extension, $evil)) { $name = $name.'.txt'; //如果后缀名出现在黑名单中,在原文件名后加.txt后缀 } return $name; } PHPCopy http://blog.csdn.net/u011650048/article/details/51454014
利用方法 resumableFilename 后加空格 burp.png
- 原文链接
- 注:知识搬运,供学习交流使用,侵联删!