声明:本文仅用于网络安全相关知识分享,文中测试环境均为自己搭建的靶场,请严格遵守网络安全相关法律法规。
未经授权利用本文相关技术从事违法活动的,一切后果由违法人自行承担!Jie安全公众号及作者不承担任何法律责任。
死学没用,劳逸结合,玩累了再学。
不经过任何过滤,张口就来,反射XSS
if ($_GET['art']):<dd><span class="state">内容生成完毕 !共 echo $_GET['art'];条。</span></dd>
public function update(){if(isset($_POST['send'])){$this->_model->id=$_POST['id'];$this->getPost();if($this->_model->update_link()){tool::layer_alert('链接修改成功!','?a=link',6);}else{tool::layer_alert('链接修改失败!','?a=link',5);}}if(isset($_GET['id'])){$this->_model->id=$_GET['id'];$_link=$this->_model->get_linkOne();if($_link){$this->_tpl->assign('id',StripSlashes($_link[0]->id));$this->_tpl->assign('linkname',StripSlashes($_link[0]->linkname));$this->_tpl->assign('linkurl',StripSlashes($_link[0]->linkurl));$this->_tpl->assign('prev_url',tool::getPrevPage());}}$this->_tpl->display('admin/link/update.tpl');}
麻了
//表单提交字符转义static public function setFormString($_string) {if (!get_magic_quotes_gpc()) {if (Validate::isArray($_string)) {foreach ($_string as $_key=>$_value) {$_string[$_key] = self::setFormString($_value); //不支持就用代替addslashes();}} else {return addslashes($_string); //mysql_real_escape_string($_string, $_link);}}return $_string;}//转义过滤static public function setRequest() {if (isset($_GET)) $_GET = Tool::setFormString($_GET);if (isset($_POST)) $_POST = Tool::setFormString($_POST);}//反转义static public function getFormString($_object,$_field){if ($_object) {foreach ($_object as $_value) {$_value->$_field = StripSlashes($_value->$_field);}}}
class LogoUpload {private $error; //错误代码private $maxsize; //表单最大值private $type; //类型private $typeArr = array('image/png','image/x-png'); //类型合集private $path; //目录路径private $name; //文件名private $tmp; //临时文件private $linkpath; //链接路径//构造方法,初始化public function __construct($_file,$_maxsize) {$this->error = $_FILES[$_file]['error'];$this->maxsize = $_maxsize / 1024;$this->type = $_FILES[$_file]['type'];$this->path = ROOT_PATH.'/'.UPLOGO;$this->name = $_FILES[$_file]['name'];$this->tmp = $_FILES[$_file]['tmp_name'];$this->checkError();$this->checkType();$this->checkPath();$this->moveUpload();}private function checkType() {if (!in_array($this->type,$this->typeArr)) {Tool::alertBack('警告:LOGO图片必须是PNG格式!');}}
public function delall(){if(isset($_POST['send'])){if(validate::isNullString($_POST['pid'])) tool::layer_alert('没有选择任何图片!','?a=pic',7);$_fileDir=ROOT_PATH.'/uploads/';foreach($_POST['pid'] as $_value){$_filePath=$_fileDir.$_value;if(!unlink($_filePath)){tool::layer_alert('图片删除失败,请设权限为777!','?a=pic',7);}else{header('Location:?a=pic');}}
在C盘根目录新建/etc/passwd.txt文件
没了
原文始发于微信公众号(Jie安全):某CMS任意文件上传、任意文件删除、XSS挖掘。
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论