代码拉取完成,页面将自动刷新
pear-admin-think V2.1.2 Arbitrary file upload vulnerability
Arbitrary file upload vulnerability exists in pear-admin-think V2.1.2
pear-admin-think V2.1.2 has an arbitrary file upload vulnerability, which allows remote attackers to control the server by uploading files
url: /admin.php/index/upload
Vulnerability file:app/common/service/UploadService.php
private static function validate($file)
{
$v = new Validate();
$v->rule([
'file|图片' =>'fileSize:102400,fileExt:jpg,png,gif'
]);
return $v->failException(true)->check($file);
}
Vulnerability exploitation:
1.Log in backstage
2.upload file




Repair suggestions:
app/common/service/UploadService.php
private static function validate($file)
{
$v = new Validate();
$v->rule([
'file|图片大小' =>'fileSize:102400',
'file|后缀'=>'fileExt:jpg,png,gif'
]);
return $v->failException(true)->check($file);
}