download time: 2020/1/18
search some keyword like "上传文件非法",and the file path
/crmeb/crmeb/services/UploadService.php in line 410.
file() funcion,it will call
getOriginalExtension() in line 409.The
getOriginalExtension() is in line 130 with the file
From the code point of view, it is only compared by obtaining the suffix name, and no filtering is performed.
first,you need to add a configuration item about file upload like this.
The contents of the configuration items are as follows.
Open the file upload configuration item in settings,and it like this.
In this operation, you can see that there is an option named
fileuPload,it was create in the
Step-1.Then you can click it and upload file in this.
Then I upload one file is name
shell.jpg,and the content is like this.
<?php phpinfo(); ?>
and modify the file extension to
.php::$DATA when uploading was like this.Because the character
::$DATA is automatically ignored in the windows system, it can be bypassed by this character.
it will response a uri address like this.
access this url and you will getshell for this web server.