Affected Versions

Previous to uWSGI 2.0.17

Environment

https://github.com/vulhub/vulhub/blob/master/uwsgi/CVE-2018-7490
Or directly use the environment in BUUOJ

Vulnerability Analysis

uWSGI PHP Plugin < 2.0.17 does not properly handle the --php-docroot option detected by DOCUMENT_ROOT, allowing attackers to passA specially crafted URL request with a '...' sequence to maliciously view arbitrary files on the system.

Get started

Open buuoj's drone and see

Don't use the payload in the exp first, try to see if ../../../ can perform directory traversal, you can find that the page and url have not changed, indicating that it is filtered

So urlencode ../ once,Get the ..%2f in the payload and upload the payload directly

Successfully read /etc/passwd file