蓝海豚团购导航 V4.0.4 没修复上传漏洞

  • A+
所属分类:lcx

最近看Cond0r牛那么努力 我也跟后面了

以前发过旧版本漏洞 新版本依然没有修复 只是代码变了

editorupload.php:

define('IN_PHPUP',1);
define('ROOT_PATH',dirname(dirname(__FILE__)));
$root=str_replace('editor/upload.php','',$_SERVER['PHP_SELF']);

$uploaddir='data/upload/'.date('Y').'/'.date('m');

if($_FILES)
{
        include "../inc/global.func.php";
        $file=_upload('file1','../'.$uploaddir);

在看 global.func.php 的 _upload

function _upload($upfile,$uploaddir='',$customfile='',$thumbinfo=array())
{
        include ROOT_PATH.'/inc/upload.class.php';
        $up=new upload($upfile);

再看 upload.class.php

if(!defined('IN_PHPUP')) {
        exit('Access Denied');
}
class upload
{
        var $stuffix=array('image/jpg','image/gif','image/png','image/x-png',"image/pjpeg","image/jpeg","application/x-zip-compressed","application/x-shockwave-flash");
//省一堆代码......
        //检查文件类型
        function checkType()
        {
                if(!empty($_FILES[$this->handle]['type']) && in_array(strtolower($_FILES[$this->handle]['type']),$this->stuffix))
                       //in_array(strtolower($_FILES[$this->handle]['type']),$this->stuffix))  //还是以前那漏洞直接秒杀
                {
                        $this->error.="";
                }
                else
                {
                        $this->error.="不允许上传的文件类型n".strtolower($_FILES[$this->handle]['type']);
                }
        }

EXP就不写了 自己搞下很简单的

文章来源于lcx.cc:蓝海豚团购导航 V4.0.4 没修复上传漏洞

相关推荐: QQ魔力日志分析附实现源码

缘起 很多人看到魔力日志都感觉:我靠怎么那么神奇 Zone里我也看到了不少讨论的,但是都没有特别详细的实现方法 特别是我这一年龄段的,空间里都转疯了. ________________________________________ Know it 首先我们只…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: