Arbitrary File upload in Semcms V2.7


php Background pages restrict the type of uploaded files, jpe, gif, rar,we can break through the restrictions on uploading malicious files such as: PHP.


The affected code(located:/ciuy_Admin/SEMCMS_Upfile.php):


We could control the “wname” as we want,and uptype is the suffix which intercepted in allow


The attaking founction:use char(0) to cut off the filename and make up a renew suffix

The affected page located in admin’s management page:ciuy_Admin/SEMCMS_Upfile.php


First,we define our evil php’s suffix as test.rar(which is allowed) and post it as follow.There,we could see no files in the Folder

Second,we change the php as php0x00 and the effection as :

final effection and poc:

Then, we could see the test.php in the folder:

Finally, we could use tools (Cknife) to link the evil php


This is a background getshell process. The required PHP version is less than 5.3

not found!