怎样Phpwind Oday文件上传拿shell
发布网友
共1个回答
热心网友
...
} elseif ($action == 'uploadicon') {
if (empty($_GET['step'])) {
list($db_upload,$db_imglen,$db_imgwidth,$db_imgsize) = explode("\t",$db_upload);
InitGP(array('uid','verify'));//可以控制的两个参数
$swfhash = GetVerify($uid);
checkVerify('swfhash');//这里很有趣
require_once(R_P . 'lib/upload/faceupload.class.php');
$face = new FaceUpload($uid);
PwUpload::upload($face);
$uploaddb = $face->getAttachs();
echo $db_bbsurl.'/'.$attachpath.'/'.$uploaddb['fileuploarl'].'?'.$timestamp;exit;
} else {
...
先来看看代码中我标注的有趣的地方,看能否绕过checkVerify('swfhash')。找找checkVerify函数:
function checkVerify($hash = 'verifyhash') {
GetGP('verify') <> $GLOBALS[$hash] && Showmsg('illegal_request');//看参数是啥了
}
于是checkVerify('swfhash')其实就是检查$swfhash了,而$swfhash是通过GetVerify函数获得的,于是看看GetVerify函数:
function GetVerify($str,$app = null) {
empty($app) && $app = $GLOBALS['db_siteid'];//关键就是db_siteid了,而db_siteid可以通过注入获得
return substr(md5($str.$app.$GLOBALS['pwServer']['HTTP_USER_AGENT']),8,8);
}
于是好办了,先通过注入获得db_siteid,然后获取自己的'HTTP_USER_AGENT'(直接构造也行),可以轻松绕过前面的*,接着就直接看上传类了,$uid可以控制就可以自定义上传文件名了:
<?php
!defined('P_W') && exit('Forbidden');
require_once(R_P . 'lib/upload.class.php');
class FaceUpload extends uploadBehavior {
var $db;
var $uid;
var $attachs;
function FaceUpload($uid) {
global $db,$db_imgsize;
parent::uploadBehavior();
$this->uid = $uid;//这里没有int就悲剧了...
$this->db =& $db;
$this->ifftp = 0;
!$db_imgsize && $db_imgsize = 1000;
$this->ftype = array(
'gif' => $db_imgsize, 'jpg' => $db_imgsize,
'jpeg' => $db_imgsize, 'bmp' => $db_imgsize,
'png' => $db_imgsize
);
}
function allowType($key) {
return true;
}
function getFilePath($currUpload) {
$filename = $this->uid . '_tmp.' . $currUpload['ext'];
$savedir = 'upload/' . str_pad(substr($this->uid,-2),2,'0',STR_PAD_LEFT) . '/';
return array($filename, $savedir, '', '');
}
function update($uploaddb) {
$this->attachs = $uploaddb;
}
function getAttachs() {
return current($this->attachs);
}
}
?>
点击查看全文http://user.qzone.qq.com/4374330/blog/1286355093
