偶尔看到一个设备的漏洞挖掘。尝试也看了一下代码。如下:
参考:https://blog.csdn.net/HBohan/article/details/121493301
漏洞一、任意文件上传
<?php
$error = false;
$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
if ($tmpFilePath != ""){
$newFilePath = "./files/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
$error = true;
}
}
?>URL:/upload/my_parser.php
看到文章末尾【查看学习资料·攻略】
参数为upload
访问URL:/upload/files/11.php
漏洞二、任意文件上传
URL:/php/addscenedata.php
<?php
require_once ('conversion.php');
$arr['res'] = 0;
$tmpFilePath = $_FILES['upload']['tmp_name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
}
if ($tmpFilePath != ""){
$newFilePath = "../images/scene/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(move_uploaded_file($tmpFilePath, $newFilePath))
{
$arr['res'] = 1;
}
}
echo JSON($arr);
?>漏洞三、任意文件写入
URL:/php/uploadjson.php
<?php
require_once ('conversion.php');
$arr["res"] = "0";
$postData = $_POST['jsondata'];
if (isset($postData['filename']) && isset($postData['data']))
{
$filename = $postData['filename'];
// WIN
$fullpath = dirname(dirname(__FILE__))."\\lan\\".$filename;
// Linux
if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
$fullpath = dirname(dirname(__FILE__))."/lan/".$filename;
}
$content = $postData['data'];
// 写入文件
$handle = fopen($fullpath, 'w');
if ($handle)
{
flock($handle, LOCK_EX);
fwrite($handle, $content);
flock($handle, LOCK_UN);
fclose($handle);
$arr["res"] = "1";
}
}
echo JSON($arr);
?>漏洞四、任意文件上传
URL:/php/addupdatefiles.php
<?php
$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
if ($tmpFilePath != ""){
$newFilePath = dirname(dirname(dirname(dirname(__FILE__))))."/upload/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
echo '{"res": "1"}';
} else {
echo '{"res": "0"}';
}
}
?>任意文件读取
/php/getjson.php
<?php
require_once ('conversion.php');
$res = '{"res":"0"}';
$postData = $_POST['jsondata'];
if (isset($postData['filename']))
{
$filename = $postData['filename'];
// WIN
$fullpath = dirname(dirname(__FILE__))."\\lan\\".$filename;
// Linux
if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
$fullpath = dirname(dirname(__FILE__))."/lan/".$filename;
}
if (file_exists($fullpath))
{
$json_string = file_get_contents($fullpath);
$res = '{"res":"1","data":'.$json_string.'}';
}
}
echo $res;
?>最重要的login.php 来了
<?php
require_once ('conversion.php');
$postData = $_POST['jsondata'];
$arr['res'] = 0;
if (isset($postData['username'])) {
$user = $postData['username'];
$pass = $postData['password'];
if ('800823' == $pass && 'administrator' == $user)
{
$arr['username'] = 'administrator';
$arr['password'] = '800823';
$arr['display'] = 'administrator';
$arr['modules'] = '1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1';
$arr['rights'] = '*';
$arr['serverrights'] = '*';
$arr['isadmin'] = '1';
$arr['bindterminals'] = '';
$arr['res'] = 1;
$arr['mainurl'] = 'main';
$arr['token'] = 'SESSION';
echo JSON($arr);
}
else
{
$result = UdpSendAndRecvJson($postData, "login");
echo $result;
}
}
?>最后
有在学习网络安全的可以私信我获取【网络安全学习资料·攻略】
1.2000多本网络安全系列电子书
2.网络安全标准题库资料
3.项目源码
4.网络安全基础入门、Linux、web安全、攻防方面的视频
5.网络安全学习路线图