I uploaded any file in the "manage files" section, here I uploaded a "1.jpg".

Found two files at the upload folder.

Looked at the source code for the delete file function. On lines 21 and 22 of "data/in/deletefile.php", the logic is that the file ".htaccess" is not allowed to be deleted. But it can be bypassed.

I clicked on the delete button on the page for "1.jpg" and sniffered the packet.

Change the value of the request parameter "var" to ".Htaccess" (the suffix name is not case sensitive in Windows)

".Htaccess" is already in the trash.

The ".htaccess" in the upload folder has been copied to the trash folder.

Looked at the source code for the upload function, lines 34 to 52 of "data/in/file.php".

The code logic is as follows.

1. First check if the file suffix is ".htaccess".
2. then check if the file suffix is in the blacklist.
3. If the suffix is in the blacklist, add the suffix ".txt" for renaming and give permission.
4. If the suffix name is not in the blacklist, then give permission directly.

Use race condition for attacks.
First I create a "phpinfo.php" file.
poc:

Upload the file and sniffer a packet of the upload request and send it to intruder (add variable a=1 to keep sniffering the request packet).

Then sniffer a packet that accesses the file and send it to intruder.

Both intruder types are selected as "Numbers" and the number is 10000.

Threads are set to 20.

Start the attack, when the status of the request to access the file is 200, it means that the file was uploaded successfully and the code was executed.

Upload webshell with race condition and successfully gain access to the server.
exploit：

(Note: the ".php" file only exists when the race condition is in place, if the race condition is stopped the ".php" file will still be a ".php.txt" file, so the shell will disconnect. The shell will then disconnect. (So maintaining permissions requires that race condition be maintained at all times)

From: huanyu@tsign.cn