偶尔看到一个设备的漏洞挖掘。尝试也看了一下代码。如下:
参考:my.oschina.net/u/5242808/b…5
漏洞一、任意文件上传
<?php
$error = false ;
$tmpFilePath = $_FILES [ 'upload' ][ 'tmp_name' ];
$tmpFilePath = mb_convert_encoding ( $tmpFilePath , "GBK" , "UTF-8" );
if ( $tmpFilePath != "" ){
$newFilePath = "./files/" . $_FILES [ 'upload' ][ 'name' ];
if ( strtoupper ( substr ( PHP_OS , 0 , 3 )) == 'WIN' ){
$newFilePath = mb_convert_encoding ( $newFilePath , "GBK" , "UTF-8" );
}
if ( ! move_uploaded_file ( $tmpFilePath , $newFilePath )) {
$error = true ;
}
}
?>
URL:/upload/my_parser.php
参数为upload
访问URL:/upload/files/11.php
漏洞二、任意文件上传
URL:/php/addscenedata.php
<?php
require_once ( 'conversion.php' );
$arr [ 'res' ] = 0 ;
$tmpFilePath = $_FILES [ 'upload' ][ 'tmp_name' ];
if ( strtoupper ( substr ( PHP_OS , 0 , 3 )) == 'WIN' ) {
$tmpFilePath = mb_convert_encoding ( $tmpFilePath , "GBK" , "UTF-8" );
}
if ( $tmpFilePath != "" ){
$newFilePath = "../images/scene/" . $_FILES [ 'upload' ][ 'name' ];
if ( strtoupper ( substr ( PHP_OS , 0 , 3 )) == 'WIN' ) {
$newFilePath = mb_convert_encoding ( $newFilePath , "GBK" , "UTF-8" );
}
if ( move_uploaded_file ( $tmpFilePath , $newFilePath ))
{
$arr [ 'res' ] = 1 ;
}
}
echo JSON ( $arr );
?>
漏洞三、任意文件写入
URL:/php/uploadjson.php
<?php
require_once ( 'conversion.php' );
$arr [ "res" ] = "0" ;
$postData = $_POST [ 'jsondata' ];
if ( isset ( $postData [ 'filename' ]) && isset ( $postData [ 'data' ]))
{
$filename = $postData [ 'filename' ];
// WIN
$fullpath = dirname ( dirname ( __FILE__ )) . "\lan\" . $filename ;
// Linux
if ( strtoupper ( substr ( PHP_OS , 0 , 3 )) != 'WIN' ) {
$fullpath = dirname ( dirname ( __FILE__ )) . "/lan/" . $filename ;
}
$content = $postData [ 'data' ];
// 写入文件
$handle = fopen ( $fullpath , 'w' );
if ( $handle )
{
flock ( $handle , LOCK_EX );
fwrite ( $handle , $content );
flock ( $handle , LOCK_UN );
fclose ( $handle );
$arr [ "res" ] = "1" ;
}
}
echo JSON ( $arr );
?>
漏洞四、任意文件上传
URL:/php/addupdatefiles.php
<?php
$tmpFilePath = $_FILES [ 'upload' ][ 'tmp_name' ];
$tmpFilePath = mb_convert_encoding ( $tmpFilePath , "GBK" , "UTF-8" );
if ( $tmpFilePath != "" ){
$newFilePath = dirname ( dirname ( dirname ( dirname ( __FILE__ )))) . "/upload/" . $_FILES [ 'upload' ][ 'name' ];
if ( strtoupper ( substr ( PHP_OS , 0 , 3 )) == 'WIN' ){
$newFilePath = mb_convert_encoding ( $newFilePath , "GBK" , "UTF-8" );
}
if ( ! move_uploaded_file ( $tmpFilePath , $newFilePath )) {
echo '{"res": "1"}' ;
} else {
echo '{"res": "0"}' ;
}
}
?>
任意文件读取
/php/getjson.php
<?php
require_once ( 'conversion.php' );
$res = '{"res":"0"}' ;
$postData = $_POST [ 'jsondata' ];
if ( isset ( $postData [ 'filename' ]))
{
$filename = $postData [ 'filename' ];
// WIN
$fullpath = dirname ( dirname ( __FILE__ )) . "\lan\" . $filename ;
// Linux
if ( strtoupper ( substr ( PHP_OS , 0 , 3 )) != 'WIN' ) {
$fullpath = dirname ( dirname ( __FILE__ )) . "/lan/" . $filename ;
}
if ( file_exists ( $fullpath ))
{
$json_string = file_get_contents ( $fullpath );
$res = '{"res":"1","data":' . $json_string . '}' ;
}
}
echo $res ;
?>
最重要的login.php 来了
<?php
require_once ( 'conversion.php' );
$postData = $_POST [ 'jsondata' ];
$arr [ 'res' ] = 0 ;
if ( isset ( $postData [ 'username' ])) {
$user = $postData [ 'username' ];
$pass = $postData [ 'password' ];
if ( '800823' == $pass && 'administrator' == $user )
{
$arr [ 'username' ] = 'administrator' ;
$arr [ 'password' ] = '800823' ;
$arr [ 'display' ] = 'administrator' ;
$arr [ 'modules' ] = '1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1' ;
$arr [ 'rights' ] = '*' ;
$arr [ 'serverrights' ] = '*' ;
$arr [ 'isadmin' ] = '1' ;
$arr [ 'bindterminals' ] = '' ;
$arr [ 'res' ] = 1 ;
$arr [ 'mainurl' ] = 'main' ;
$arr [ 'token' ] = 'SESSION' ;
echo JSON ( $arr );
}
else
{
$result = UdpSendAndRecvJson ( $postData , "login" );
echo $result ;
}
}
?>
最后
有在学习网络安全的可以点击查看【网络安全学习资料·攻略】
- 2000多本网络安全系列电子书
- 网络安全标准题库资料
- 项目源码
- 网络安全基础入门、Linux、web安全、攻防方面的视频
- 网络安全学习路线图**