蚂蚁分类getshell

摘要

from:90sec/member/include/inc_shop.php前面的ac不用管就是if判断然后进入操作而已。我们主要看template这里，获取$name_file的上传内容然后传入start_upload，这里说一下传参中可控的有$oldbanner
看下函数内容

from:90sec

/member/include/inc_shop.php

if($if_corp == 1){                 //???????????                 if($ac == 'base'){                         if(empty($tname)) write_msg('','?m=shop&type=corp&error=39');                         if(empty($areaid)) write_msg('','?m=shop&type=corp&error=40');                         $db -> query("UPDATE `{$db_mymps}member` SET tname='$tname',catid='$catids',areaid='$areaid',introduce='$introduce',address='$address',busway='$busway',mappoint='$mappoint',msn='$msn',web='$web' $where AND if_corp = '1'");                         write_msg('','?m=shop&type=corp&success=13');                 } elseif($ac == 'template') {                         if($_FILES[$name_file]['name']){                                 require_once MYMPS_INC.'/upfile.fun.php';                                 $destination = "/banner/".date('Ym')."/";                                 $mymps_image = start_upload($name_file,$destination,0,'','',$oldbanner,'');

前面的ac不用管就是if判断然后进入操作而已。我们主要看template这里，获取$name_file的上传内容然后传入start_upload，这里说一下传参中可控的有$oldbanner
看下函数内容

function start_upload( $file_name, $destination_folder, $watermark = 0, $limit_width = "", $limit_height = "", $edit_filename = "", $edit_pre_filename = "" ) {     global $mymps_global;     global $timestamp;     if ( !is_uploaded_file( $_FILES[$file_name]['tmp_name'] ) )     {         write_msg( "请重新选择您要上传的图片!" );     }     $file = $_FILES[$file_name];     @createdir( MYMPS_UPLOAD.$destination_folder );     $file_name = $file['tmp_name'];     $pinfo = pathinfo( $file['name'] );     $ftype = $pinfo['extension'];     $fname = $pinfo[basename];     if ( empty( $edit_filename ) && empty( $edit_pre_filename ) )     {         $destination_file = $timestamp.random( ).".".$ftype;         $destination = MYMPS_UPLOAD.$destination_folder.$destination_file;         $small_destination = MYMPS_UPLOAD.$destination_folder."pre_".$destination_file;     }     else     {         $destination = MYMPS_ROOT.$edit_filename;         $small_destination = MYMPS_ROOT.$edit_pre_filename;         $forbidarray = array(             MYMPS_ROOT."/images/logo.gif",             MYMPS_ROOT."/images/nopic.gif",             MYMPS_ROOT."/images/nophoto.jpg",             MYMPS_ROOT."/images/noavatar.gif",             MYMPS_ROOT."/images/noavatar_small.gif"         );         if ( !in_array( $destination, $forbidarray ) || $destination != MYMPS_ROOT )         {             @unlink( $destination );         }         if ( !in_array( $small_destination, $forbidarray ) || $destination != MYMPS_ROOT )         {             @unlink( $small_destination );         }         unset( $forbidarray );     }     if ( file_exists( $destination ) )     {         write_msg( "同名图片已存在，请重新选择您要上传的图片！" );     }     if ( !move_uploaded_file( $file_name, $destination ) )     {         write_msg( "图片上传失败，请重新选择您要上传的图片！" ); }

看这里

$file = $_FILES[$file_name];     @createdir( MYMPS_UPLOAD.$destination_folder );     $file_name = $file['tmp_name'];     $pinfo = pathinfo( $file['name'] );     $ftype = $pinfo['extension'];     $fname = $pinfo[basename];

先是获取了文件内容然后获取了文件后缀以及文件名这些

{         $destination = MYMPS_ROOT.$edit_filename;         $small_destination = MYMPS_ROOT.$edit_pre_filename;         $forbidarray = array(             MYMPS_ROOT."/images/logo.gif",             MYMPS_ROOT."/images/nopic.gif",             MYMPS_ROOT."/images/nophoto.jpg",             MYMPS_ROOT."/images/noavatar.gif",             MYMPS_ROOT."/images/noavatar_small.gif"         );

这里的edit与edit_pre讲道理的是非空所以进入了该if进行后缀以及路径拼接(期间并无任何效验)

<p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;">if ( file_exists( $destination ) )</span><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;">    {</span><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;">        write_msg( "<font face="宋体">同名图片已存在，请重新选择您要上传的图片！</font><font face="Courier New">" );</font></span><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;">    }</span><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;">    if ( !move_uploaded_file( $file_name, $destination ) )</span><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;">    {</span><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;">        write_msg( "<font face="宋体">图片上传失败，请重新选择您要上传的图片！</font><font face="Courier New">" );</font></span><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;">    }</span></p>

下面接着判断了是否存在相同名如果不存在同名则直接上传。
本地复现:

Old我们指定的文件名

不过印象中我并不记得蚂蚁分类会存在这个漏洞啊！！抱着各种心情多看一下.随便看一个

发现除了我们那个每个上面都会有一个check_upimage的调用 看看怎么回事