1. Vulnerability points
The vulnerability point is line 61 in index.php in the root directory.
The target parameters can be controlled arbitrarily, and index.php can be controlled to contain any file.
The above if condition needs to satisfy that the target parameter is not empty and is a string and does not start with index and is not in the blacklist .
blacklist:
Check the last condition and need to return true
The first red box defines the whitelist
The second red box checks whether the file name is in the whitelist, and returns true if it is.
The third red box splits the original incoming string from 0 to ?, and then checks whether the string is in the whitelist, and returns true if it is.
Can you consider setting the string content? The previous string is whitelisted and bypasses filtering, but it cannot appear in the file name.
Finally, there is the utilization point
First decode the url and then segment it, which gives you an opportunity.
Since the URL is decoded twice in the end, the original protocol is decoded once, and the code here is decoded again.
If the URL is encoded twice, filtering can be bypassed, and the URL encoding can also appear in the file name, which creates a vulnerability.
2. Exploiting vulnerabilities
How to write malicious files to the server?
You can create a new table in the background, and the corresponding table name and data will be stored in the frm and MYD files.
View path
Build payload:
db_datadict.php%253f/../../../../../../../../../../../phpstudy_pro/Extensions/MySQL5.7.26/data/dou/test.frmsuccess 