Open
Description
In hisiphpv2.0.11, after the administrator logs in, the installation package (.zip file) can be uploaded at the system -> local plug-in -> import plug-in
The code for uploading the logic is located in the import() function of the "app\system\admin\Plugins" class, where the zip file is extracted before being safely processed.
Special packets can be constructed in
$files = Dir::getList($decompath. '/ Upload/Plugins /');
Throws an exception to bypass the security check
Package shell.php as a zip file (make sure there are no/Upload /plugins/ under the path)
Poc as follows
The response contains the path
You can see that shell.php is uploaded
Metadata
Metadata
Assignees
Labels
No labels