作者:心灵
经典对白看代码...
controlsuser.class.php 客户操作类
|
controlsuser.class.php:
function addgroup_action() //index.php?con=user&act=addgroup
{
if(!$GLOBALS['session']->get('uid')) //验证是否登录user
{
sheader(url('user','login'));
}
//省略一堆没用东西
if(submitcheck('commit')) //POST确定
//继续省略
if(!empty($_POST['thumb_img']))
{
$data['thumb']='http://'.str_replace('http://','',$_POST['thumb_img']);
}
elseif($_FILES['file_img']['error']==0)
{
$data['thumb']=_upload('file_img',$GLOBALS['uploaddir'].'/'.date('Y/m'));
//再看_upload
function _upload($upfile,$uploaddir='',$customfile='',$thumbinfo=array())
{
include ROOT_PATH.'/inc/upload.class.php';
$up=new upload($upfile);
//再看upload.class.php
//
if(!defined('IN_PHPUP')) {
exit('Access Denied');
}
class upload
{
var $stuffix=array('image/jpg','image/gif','image/png','image/x-png',"image/pjpeg","image/jpeg","application/x-zip-compressed","application/x-shockwave-flash");
//省略一堆东西
//检查文件类型
function checkType()
{
if(!empty($_FILES[$this->handle]['type']) && in_array(strtolower($_FILES[$this->handle]['type']),$this->stuffix))
{
$this->error.="";
}
else
{
$this->error.="不允许上传的文件类型n".strtolower($_FILES[$this->handle]['type']);
}
//很强大的检查.......
这年头还有上传漏洞真不简单
|
Content-Disposition: form-data; name="thumb_img"; filename="D:1.php"
Content-Type: application/x-php
发包内容:
Content-Type: application/x-php
这里是PHP文件意思,把这里修改为 image/jpg,既可绕过检测。
|
|
本地包含漏洞,index.php。
|
index.php:
$controller=(empty($_REQUEST['con'])?'index':$_REQUEST['con']);
$action=empty($_REQUEST['act'])?'index':$_REQUEST['act'];
if(!is_file(ROOT_PATH.'/controls/'.$controller.'.class.php'))
{
$controller='index';
$action='index';
}
require(ROOT_PATH.'/controls/'.$controller.'.class.php');
当然这里又需要什么所谓的截断
|
文件读取漏洞,email.class.php。
|
email.class.php:
function emailcontent_action()
{
if(!empty($_GET['file']))
{
$nefile=$this->emaildir.'/'.$_GET['file'].'.txt'; //限制了后缀
if(is_file($nefile))
{
if(function_exists('file_get_contents'))
{
echo file_get_contents($nefile);
else
{
$handle = fopen($nefile, "r");
while (!feof($handle)) {
$buffer = fgets($fd, 4096);
echo $buffer;
}
fclose($handle);
|
这里也需要什么所谓的截断,当然 is_file 不知是否可以截断。
文章来源于lcx.cc:蓝海豚团购系统 上传,包含,读取文件漏洞
相关推荐: Hack无线门铃 - 简单分析和重放攻击,信号重放,无线物理硬件黑客
Hack无线门铃 - 简单分析和重放攻击 mramydnei | 2014-12-23 20:04 自上次借朋友的汽车测试了下重放攻击(【视频】黑客远程入侵汽车解锁车门,汽车电子钥匙信号重放,重放钥匙扣信号)后,心里一直都留有遗憾。因为上次玩完重放攻击后回去给…
评论