作者:心灵

    经典对白看代码...

    controls\user.class.php  客户操作类

controls\user.class.php:

function addgroup_action()   //index.php?con=user&act=addgroup
     {
            if(!$GLOBALS['session']->get('uid'))  //验证是否登录user
              {
                                sheader(url('user','login'));
                }
        //省略一堆没用东西
        if(submitcheck('commit'))  //POST确定
        //继续省略
        if(!empty($_POST['thumb_img']))
                                {
                                        $data['thumb']='http://'.str_replace('http://','',$_POST['thumb_img']);
                                }
                                elseif($_FILES['file_img']['error']==0)
                                {
                                        $data['thumb']=_upload('file_img',$GLOBALS['uploaddir'].'/'.date('Y/m'));
        //再看_upload
        function _upload($upfile,$uploaddir='',$customfile='',$thumbinfo=array())
        {
                include ROOT_PATH.'/inc/upload.class.php';
                $up=new upload($upfile);
        //再看upload.class.php
        //
        if(!defined('IN_PHPUP')) {
                exit('Access Denied');
        }
        class upload
        {
                var $stuffix=array('image/jpg','image/gif','image/png','image/x-png',"image/pjpeg","image/jpeg","application/x-zip-compressed","application/x-shockwave-flash");
        //省略一堆东西
        //检查文件类型
                function checkType()
                {
                        if(!empty($_FILES[$this->handle]['type']) && in_array(strtolower($_FILES[$this->handle]['type']),$this->stuffix))
                        {
                                $this->error.="";
                        }
                        else
                        {
                                $this->error.="不允许上传的文件类型\n".strtolower($_FILES[$this->handle]['type']);
                        }
        //很强大的检查.......
这年头还有上传漏洞真不简单

Content-Disposition: form-data; name="thumb_img"; filename="D:\1.php"
Content-Type: application/x-php

发包内容:

Content-Type: application/x-php

这里是PHP文件意思,把这里修改为 image/jpg,既可绕过检测。

    本地包含漏洞,index.php。

index.php:

$controller=(empty($_REQUEST['con'])?'index':$_REQUEST['con']);
$action=empty($_REQUEST['act'])?'index':$_REQUEST['act'];
if(!is_file(ROOT_PATH.'/controls/'.$controller.'.class.php'))
{
        $controller='index';
        $action='index';
}
require(ROOT_PATH.'/controls/'.$controller.'.class.php');
当然这里又需要什么所谓的截断

    文件读取漏洞,email.class.php。

email.class.php:

function emailcontent_action()
        {
                if(!empty($_GET['file']))
                {
                        $nefile=$this->emaildir.'/'.$_GET['file'].'.txt';  //限制了后缀
                        if(is_file($nefile))
                        {
                                if(function_exists('file_get_contents'))
                                {
                                        echo file_get_contents($nefile);
else
                                {
                                        $handle = fopen($nefile, "r");
                                        while (!feof($handle)) {
                                                $buffer = fgets($fd, 4096);
                                                echo $buffer;
                                        }
                                        fclose($handle);

    这里也需要什么所谓的截断,当然 is_file 不知是否可以截断。