| tiêu đề | php-business-website web 1 Unrestricted Upload |
|---|
| Mô tả | The vulnerability is located in php-business-website-mainphp-business-website-mainadminabout.php (the relevant file path and file name handling code is in config.php). The code only checks whether the file name exists when uploading a file, without validating the file extension, MIME type, or content. If the server's assets/img directory has script execution permissions, an attacker can upload a malicious script disguised as an image, resulting in a server compromise. The document also records the process of exploiting the vulnerability, which involves creating a one-line PHP web shell, uploading it through the edit page at http://aaa/admin/about.php, successfully locating the corresponding file in the assets/img directory, and accessing the file to control the server via the AntSword tool. |
|---|
| Nguồn | ⚠️ https://github.com/mhszed/Report/blob/main/php-business-website%20upload.docx |
|---|
| Người dùng | mahushuai (UID 91047) |
|---|
| Đệ trình | 06/11/2025 11:43 (cách đây 5 các tháng) |
|---|
| Kiểm duyệt | 16/11/2025 18:35 (10 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 332610 [Iqbolshoh php-business-website đến 10677743a8dfc281f85291a27cf63a0bce043c24 /admin/about.php nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|