某网络硬盘漏洞

  • A+
所属分类:lcx

 

header( 'Content-Type:text/html;charset=UTF-8');       
?>

        require 'include/global.php';
        require 'include/config.php';
        require 'include/db.php';
?>
请稍等 - <?php echo $hostname; ?> - Powered by <a href="http://cn-sec.com/archives/tag/shlan/" title="查看与 shlan 相关的文章" target="_blank">shlan</a>

        $a=strtolower(fileext($_FILES['file']['name']));
        /*判断文件类型*/
        if(!in_array(strtolower(fileext($_FILES['file']['name'])),$type))
        {
                $text=implode(",",$type);
                echo "您只能上传以下类型文件: ",$text,"  <<<返回";
        }
        else
        {
        $sizsdy=$_FILES['file']['size'];
        if($size >= $sizsdy)
        {

/*fm制作*/
        $bigtext =$_POST["contents"];
        $bigtype =$_POST["type"]; //数组
         foreach($bigtype AS $key=>$type){
         $ztype=$ztype."|".$bigtype[$key];
         }
$atype = explode("|", $ztype);//数组
        $filename=explode(".",$_FILES['file']['name']);
                do
                {
                        $date=date('ym');
                        $filename[0]=random(10); //设置随机数长度,也就是文件前缀
                        $name=implode(".",$filename);
                        $name1=$name.".Yisde";//强制后缀名
                        $uploador=$uploaddir.$date;
                if(!is_dir($uploador)) {
                        //@mkdir($uploador, 0777);
                        @mkdir($uploador, 0666);
                        @chmod($uploador,   0777);
                        @fclose(fopen($uploador.'/index.htm', 'w'));
                        }
                        $uploadfile=$uploaddir.$date.'/'.$name1;//上传文件名后缀数量没有限制
                }
                while(file_exists($uploadfile));

                if (move_uploaded_file($_FILES['file']['tmp_name'],$uploadfile))
                {
                        $filesname=$_FILES['file']['name'];
                        $db=new db;
                        $db->connect($dbhost, $dbuser, $dbpwd, $dbname);
                        $db->query("set names utf8");
                        $sql="insert into wh_list (code,filename,file,contents,type,text) values ('".$filename[0]."','".$filesname."','".$name1."','".$date."','".$ztype."','".$bigtext."')";
                                if($db->query($sql))
                                {
                                        echo "";//下载码,文件前缀
                                }
                                else
                                {
                                        echo"";
                                }
                }
        }
        else
        {
                echo"";
        }
        }
?>

利用iis的.php;.txt和apache的.php.g1f 的特性执行,以windows为例,将webshell改名为webshell.php;.txt,上传,上传的文件名及路径url/upfiles/年月/文件前缀.php;.txt.Yisde。

文章来源于lcx.cc:某网络硬盘漏洞

相关推荐: 获取 monlist 命令结果源码,NTP时间服务器 monlist 命令

Option Explicit Public Function HexToByte(ByVal Hex As String) As Byte() '将字符串形式的 Hex 值转换为 Byte 数组,例子:HexToByte("202020") Dim Tmp(…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: