偶尔看到一个设备的漏洞挖掘。尝试也看了一下代码。如下:
参考:https://blog.csdn.net/HBohan/article/details/121492754
漏洞一、任意文件上传
<?php
$error = false;
$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
if ($tmpFilePath != ""){
$newFilePath = "./files/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
$error = true;
}
}
?>
URL:/upload/my_parser.php
【点击查看学习资料·攻略】
- 2000多本网络安全系列电子书
- 网络安全标准题库资料
- 项目源码
- 网络安全基础入门、Linux、web安全、攻防方面的视频
- 网络安全学习路线图
参数为upload
访问URL:/upload/files/11.php
漏洞二、任意文件上传
URL:/php/addscenedata.php
<?php
require_once ('conversion.php');
$arr['res'] = 0;
$tmpFilePath = $_FILES['upload']['tmp_name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
}
if ($tmpFilePath != ""){
$newFilePath = "../images/scene/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(move_uploaded_file($tmpFilePath, $newFilePath))
{
$arr['res'] = 1;
}
}
echo JSON($arr);
?>
#漏洞三、任意文件写入
URL:/php/uploadjson.php
<?php
require_once ('conversion.php');
$arr['res'] = 0;
$tmpFilePath = $_FILES['upload']['tmp_name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
}
if ($tmpFilePath != ""){
$newFilePath = "../images/scene/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(move_uploaded_file($tmpFilePath, $newFilePath))
{
$arr['res'] = 1;
}
}
echo JSON($arr);
?>
漏洞四、任意文件上传
URL:/php/addupdatefiles.php
<?php
$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
if ($tmpFilePath != ""){
$newFilePath = dirname(dirname(dirname(dirname(__FILE__))))."/upload/" . $_FILES['upload']['name'];
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
}
if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
echo '{"res": "1"}';
} else {
echo '{"res": "0"}';
}
}
?>
任意文件读取
/php/getjson.php
<?php
require_once ('conversion.php');
$res = '{"res":"0"}';
$postData = $_POST['jsondata'];
if (isset($postData['filename']))
{
$filename = $postData['filename'];
// WIN
$fullpath = dirname(dirname(__FILE__))."\\lan\\".$filename;
// Linux
if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
$fullpath = dirname(dirname(__FILE__))."/lan/".$filename;
}
if (file_exists($fullpath))
{
$json_string = file_get_contents($fullpath);
$res = '{"res":"1","data":'.$json_string.'}';
}
}
echo $res;
?>
最重要的login.php 来了
最重要的login.php 来了
<?php
require_once ('conversion.php');
$postData = $_POST['jsondata'];
$arr['res'] = 0;
if (isset($postData['username'])) {
$user = $postData['username'];
$pass = $postData['password'];
if ('800823' == $pass && 'administrator' == $user)
{
$arr['username'] = 'administrator';
$arr['password'] = '800823';
$arr['display'] = 'administrator';
$arr['modules'] = '1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1';
$arr['rights'] = '*';
$arr['serverrights'] = '*';
$arr['isadmin'] = '1';
$arr['bindterminals'] = '';
$arr['res'] = 1;
$arr['mainurl'] = 'main';
$arr['token'] = 'SESSION';
echo JSON($arr);
}
else
{
$result = UdpSendAndRecvJson($postData, "login");
echo $result;
}
}
?>
最后
有在学习网络安全的可以点击查看【网络安全学习资料·攻略】