# Typesetter CMS任意文件上传
– Steps to reproduce
1- As admin go to Content menu and click on Uploaded files
2- Inside the try to upload a .php file, and
3- try to upload a .php file directly, check that it is not possible.
4- Take the same .php file and place it in a .zip and upload it.
5- Extract through functionality and open the .php file
**Obs**: A strange behavior was that, after extracting the PHP file in functionality, it is seen as HTML.
– PoC
==> Executing Commands
![poc_01](/static/qingy/Typesetter_CMS任意文件上传/img/93630451-7595a580-f9c0-11ea-9166-30d2ede2535a.gif)
![test](/static/qingy/Typesetter_CMS任意文件上传/img/93628723-6d883680-f9bd-11ea-9d89-610565c43878.gif)
请登录后查看评论内容