I found that at /admin/template_wap.php, I was allowed to log in and write arbitrary files(Login required)

 Of course, you have to log in to the background first .Don't forget that dawn is my modified background address. It was originally admin

 At "dawn\template_wap.php", there is a sensitive function to write to the file:

![1](https://user-images.githubusercontent.com/55305492/102582187-02c1d500-413d-11eb-934c-ad34d600c922.png)


We can control the filename and content, We have nothing to do with this "escape_stripslashes".

The method to call this function is the same as above. We construct the data package:

![2](https://user-images.githubusercontent.com/55305492/102582193-06555c00-413d-11eb-8e2f-84f689edd356.png)

![3](https://user-images.githubusercontent.com/55305492/102582200-0c4b3d00-413d-11eb-8c24-cd37670990e6.png)

![4](https://user-images.githubusercontent.com/55305492/102582217-153c0e80-413d-11eb-8ef1-68cb40fbf2f4.png)




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

I found that at /admin/template_wap.php, I was allowed to log in and write arbitrary files(Login required) #5

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

I found that at /admin/template_wap.php, I was allowed to log in and write arbitrary files(Login required) #5

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions