最近看Cond0r牛那么努力 我也跟后面了

以前发过旧版本漏洞 新版本依然没有修复 只是代码变了

editor\upload.php:

<?php
define('IN_PHPUP',1);
define('ROOT_PATH',dirname(dirname(__FILE__)));
$root=str_replace('editor/upload.php','',$_SERVER['PHP_SELF']);

$uploaddir='data/upload/'.date('Y').'/'.date('m');

if($_FILES)
{
        include "../inc/global.func.php";
        $file=_upload('file1','../'.$uploaddir);

在看 global.func.php 的 _upload

function _upload($upfile,$uploaddir='',$customfile='',$thumbinfo=array())
{
        include ROOT_PATH.'/inc/upload.class.php';
        $up=new upload($upfile);

再看 upload.class.php

if(!defined('IN_PHPUP')) {
        exit('Access Denied');
}
class upload
{
        var $stuffix=array('image/jpg','image/gif','image/png','image/x-png',"image/pjpeg","image/jpeg","application/x-zip-compressed","application/x-shockwave-flash");
//省一堆代码......
        //检查文件类型
        function checkType()
        {
                if(!empty($_FILES[$this->handle]['type']) && in_array(strtolower($_FILES[$this->handle]['type']),$this->stuffix))
                       //in_array(strtolower($_FILES[$this->handle]['type']),$this->stuffix))  //还是以前那漏洞直接秒杀
                {
                        $this->error.="";
                }
                else
                {
                        $this->error.="不允许上传的文件类型\n".strtolower($_FILES[$this->handle]['type']);
                }
        }

EXP就不写了 自己搞下很简单的