bug
Enter the page, there is no useful information, one registration, one to retrieve the password:
first register one, log in to see: the
second option click, prompt:
in the retrieve password, try to enter, capture:
try to change the username admin: The
modification is successful, login is performed, and the login is successful.
Click on the second option:
Show that the IP is not allowed, construct X-Forwarded-For:
ok:
View source code:
Prompt file operation, upload, download, delete? ? (Upload, download, delete):
The upload is successful and the file is uploaded.
Upload picture:
upload php file:
upload picture of content text php code:
Most likely, I know that the content cannot be detected in the php format, and the file name cannot be php.
So the payload:
内容:<script language='php'>111</script>
文件名:php4 php5 phtml等(这里好像只能php4,php5)
to sum up
Logic loopholes.
Extension of php file extension.
php file content format:
<? ... ?> (在配置文件中通过short_open_tag打开)
<?php ... ?>
<script language="php"> ... </script>
<% ... %> (ASP风格标签,在5.3.0版中放弃使用)