Vulnerability principle:
When testing any file upload vulnerability, the target server might not allow upload php file suffix. If the target server is turned on SSI and CGI support, we can upload a shtml file, and use <-! # Exec cmd = " id" -> syntax to execute arbitrary commands.
Vulnerability reproduction:
shtml contains text that contains embedded server-side commands, before being sent to the browser, the server will SHTML document fully read, analyze and modify.
Normal PHP file upload is not allowed, we can upload a file shell.shtml:
<- - # Exec cmd = "pwd"!>
And then upload it on the line
point into the
resolution succeeds, remote command execution, pwd command can easily change .