GV32-CMS最新版V5.6.4前台getshell

摘要

#1 文件application/user/upload.php 11-96行
[php]
//文件上传
uploadfile();function uploadfile()
{
$configUp=array();
$configUp['type'] = array("flash","img"); //上传允许type值
$configUp['img'] = array("jpg","bmp","gif","png"); //img允许后缀
$configUp['flash'] = array("flv","swf"); //flash允许后缀
$configUp['office'] = array("doc","docx","docm","dotx","dotm",
"xls","xlsx","xlsm","xltm","xlsb","xlam","csv","xlw","wk4","wk3","wk1","wks","dbf",
"ppt","pptx","pptm","ppsx","potx","potm","ppam"); //office允许后缀
if(MAX_UPSIZE != '')
{
$configUp['flash_size'] = MAX_UPSIZE; //上传flash大小上限 单位：KB
$configUp['img_size'] = MAX_UPSIZE; //上传img大小上限 单位：KB
}else{
$configUp['flash_size'] = 1000; //上传flash大小上限 单位：KB
$configUp['img_size'] = 2000; //上传img大小上限 单位：KB
}

#1 文件application/user/upload.php 11-96行
[php]
//文件上传
uploadfile();

function uploadfile()
{
$configUp=array();
$configUp['type'] = array("flash","img"); //上传允许type值
$configUp['img'] = array("jpg","bmp","gif","png"); //img允许后缀
$configUp['flash'] = array("flv","swf"); //flash允许后缀
$configUp['office'] = array("doc","docx","docm","dotx","dotm",
"xls","xlsx","xlsm","xltm","xlsb","xlam","csv","xlw","wk4","wk3","wk1","wks","dbf",
"ppt","pptx","pptm","ppsx","potx","potm","ppam"); //office允许后缀
if(MAX_UPSIZE != '')
{
$configUp['flash_size'] = MAX_UPSIZE; //上传flash大小上限 单位：KB
$configUp['img_size'] = MAX_UPSIZE; //上传img大小上限 单位：KB
}else{
$configUp['flash_size'] = 1000; //上传flash大小上限 单位：KB
$configUp['img_size'] = 2000; //上传img大小上限 单位：KB
}

$configUp['message'] = "上传成功"; //上传成功后显示的消息，若为空则不显示
$configUp['name'] = mktime(); //上传后的文件命名规则 这里以unix时间戳来命名

if(BASE_WEBURL!='')
{
$configUp['flash_dir'] = BASE_WEBURL."/uploads/flash"; //上传flash文件地址 采用绝对地址 方便upload.php文件放在站内的任何位置 后面不加"/"
$configUp['img_dir'] = BASE_WEBURL."/uploads/img"; //上传img文件地址 采用绝对地址 采用绝对地址 方便upload.php文件放在站内的任何位置 后面不加"/"
}else{
$configUp['flash_dir'] = "/uploads/flash"; //上传flash文件地址 采用绝对地址 方便upload.php文件放在站内的任何位置 后面不加"/"
$configUp['img_dir'] = "/uploads/img"; //上传img文件地址 采用绝对地址 采用绝对地址 方便upload.php文件放在站内的任何位置 后面不加"/"
}

if(IMG_URL!='')
{
$configUp['site_url'] = IMG_URL; //网站的网址 这与图片上传后的地址有关 最后不加"/" 可留空
}else{
$configUp['site_url']=""; //网站的网址 这与图片上传后的地址有关 最后不加"/" 可留空
}

//判断是否是非法调用
if(empty($_GET['CKEditorFuncNum']))
mkhtml(1,"","错误的功能调用请求");
$fn=$_GET['CKEditorFuncNum'];

if(is_uploaded_file($_FILES['upload']['tmp_name']))
{
//判断上传文件是否允许
$filearr=pathinfo($_FILES['upload']['name']);
$filetype=$filearr["extension"];

if(!in_array($filetype,$configUp['img']))
mkhtml($fn,"","错误的文件类型！");
//判断文件大小是否符合要求
if($_FILES['upload']['size'] > $configUp["img_size"]*1024)
mkhtml($fn,"","上传的文件不能超过".$configUp["img_size"]."KB！");

$file_abso=$configUp["img_dir"]."/".$configUp['name'].".".$filetype;
$file_host=$_SERVER['DOCUMENT_ROOT'].$file_abso;
if(move_uploaded_file($_FILES['upload']['tmp_name'],$file_host))
{
mkhtml($fn,$file_abso,$configUp['message']);
}else
{
mkhtml($fn,"","文件上传失败，请检查上传目录设置和目录读写权限");
}
}
}

//输出js调用

function mkhtml($fn,$fileurl,$message)
{
echo $str='

';
exit($str);

}

?>
[/php]
[php]
if(!in_array($filetype,$configUp['img'])) 判断了文件类型数组
$configUp['img'] = array("jpg","bmp","gif","png");
[/php]
然后js调用输出 很好突破直接抓包修改格式上传就ok
#2 利用方式
#1 首先注册一个账号
#2 首页 > 用户中心 > 基本信息 头像上传文件 抓包改包上传
google关键词：Powered by GV32.COM 找到约 19,300 条结果 （用时 0.29 秒）
有一定的用户量 随便找一个站测试下
#http://engleeagro.com/ 注册个账号，然后头像上传 抓包
改包上传成功：
：