Environment description

Basic description

phpok is a set of enterprise website system developed with PHP+MySQL, and its 4.8.338 and 4.9.015 versions have arbitrary file upload vulnerabilities.

Vulnerability description

phpok is a set of enterprise website system developed with PHP+MySQL, its 4.8.338 and 4.9.015 versions have arbitrary file upload vulnerabilities, attackers can use the vulnerability to upload arbitrary files and obtain website permissions.

Bug fixes

Filter the upload type suffix; upgrade phpok to the latest version.

Install

Put the source code into the PHPstudy root directory www, and then install it locally.

Action

1. Select Tools----Attachment Classification Management

2. Select to create a resource category

(Add supported attachment types.php)

3. Select file resource management and uploaddocument.

4. The file is uploaded successfully, and there is a Trojan horse in the directory

5. Use ant sword or kitchen knife to connect

Success