雪晖在线投票系统 php 版上传漏洞,任意文件名解析漏洞。

    上传文件 imgupload.php 文件代码:

imgupload.php:

<?php
require_once("conn.php");
header("Content-type:text/html;charset=gbk");
$tid = $_POST["tid"];
$sid = "";
$query = mysql_query("select sid from xh_title where id=".$tid,$conn);
if($row=mysql_fetch_array($query)){
$sid = $row["sid"];
}
mysql_free_result($query);
$uploadDir = "xh_upload/".$sid."/".$tid;
if(!is_dir($uploadDir)){
@mkdir($uploadDir,0777,true);
}
$type=array("jpg","gif","png","bmp","jpeg");
$filename=$_FILES["ImgFile"]["name"];
$fileExt=trim(substr($filename,strrpos($filename,".")+1));
if(!in_array(strtolower($fileExt),$type)){
$text = implode(",",$type);
mysql_close($conn);
die("<script>parent.document.getElementById('error').innerHTML='只能上传此类型文件:".$text."';history.back(1);</script>");
}
$newFileName=$uploadDir."/".date("YmdHis").$filename;
if(move_uploaded_file($_FILES["ImgFile"]["tmp_name"],$newFileName)){
mysql_close($conn);
die("<script>parent.form1.imgurl.value='".$newFileName."';history.back(1);</script>");
}else{
mysql_close($conn);
die("<script>parent.document.getElementById('error').innerHTML='文件上传失败!';history.back(1);</script>");
}
mysql_close($conn);
?>