海盗云商前台getshell

在会员头像上传处

        public function avatar() { if(checksubmit('dosubmit')) { if(empty($_GET['avatar'])) { showmessage('请上传头像','',0); } $avatar = $_GET['avatar']; $x = (int) $_GET['x']; $y = (int) $_GET['y']; $w = (int) $_GET['w']; $h = (int) $_GET['h']; if(is_file($avatar) && file_exists($avatar)) { $ext = strtolower(pathinfo($avatar, PATHINFO_EXTENSION)); $name = basename($avatar, '.'.$ext); $dir = dirname($avatar); if(in_array($ext, array('gif','jpg','jpeg','bmp','png'))) { $name = $name.'_crop_200_200.'.$ext; $file = $dir.'/'.$name; $image = new image($avatar); $image->crop($w, $h, $x, $y, 200, 200); $image->save($file); if(file_exists($file)) { $avatar = getavatar($this->member['id'], false); dir::create(dirname($avatar)); @rename($file, $avatar); showmessage('头像更换成功','',1); } else { showmessage('头像数据裁剪失败','',0); } } else { showmessage('请勿上传非法图片','',0); } } else { showmessage('头像数据异常','',0); } } else { $SEO = seo('修改头像 - 会员中心'); $attachment_init = attachment_init(array('module' => 'member', 'mid' => $this->member['id'])); include template('account_avatar'); } } }

可以看到上传的头像跟
$avatar = $_GET['avatar'];有关切只验证上传文件的后缀

那么xx.php%00.jpg gif都可以

这里只能上传一个图片马，单单的php代码会被渲染

修改两处，可以看到成功截断了.

海盗云商:http://www.haidao.la/