thinksns V3 getshell vulnerabilities attached to the use of the method-vulnerability warning-the black bar safety net

2013-04-09T00:00:00
ID MYHACK58:62201338204
Type myhack58
Reporter 佚名
Modified 2013-04-09T00:00:00

Description

tick test re-test is that the results of the proceedings I applied for didn't let me into listening to friends say this

I'll probably see you found a getshell

Anyway all tested so many hackers surely by the time someone dug out might as well put out attachaction.class.php

| 1 | public function capture(){ ---|---

2 | ---|---

3 | error_reporting(0); ---|---

4 | ---|---

5 | //parsing the upload ---|---

6 | $query_string = t($_SERVER['QUERY_STRING']); ---|---

7 | parse_str($query_string,$query_data); //overwrite the data variable ---|---

8 | ---|---

9 | $log_file = time().'_'. rand(0,1000).'. txt'; ---|---

1 0 | ---|---

1 1 | $log_path = RUNTIME_PATH.'/ logs/'. date('Y/md/H/'); ---|---

1 2 | ---|---

1 3 | if(! is_dir($log_path)) ---|---

1 4 | mkdir($log_path,0 7 7 7,true); ---|---

1 5 | ---|---

1 6 | $file_path = './ data/uploads/'. date('Y/md/H/'); ---|---

1 7 | ---|---

1 8 | if(! is_dir($file_path)) ---|---

1 9 | mkdir($file_path,0 7 7 7,true); ---|---

2 0 | ---|---

2 1 | file_put_contents($log_path.$ log_file,var_export($query_data,true)); ---|---

2 2 | ---|---

2 3 | //button screenshot: FileType=img ---|---

2 4 | if($query_data['FileType']=='img'){ ---|---

2 5 | $file_name = 'capture_'. time().'. jpg'; ---|---

2 6 | } ---|---

2 7 | ---|---

2 8 | //attachment upload: FileType=Attachment & FileName=xxx. jpg//the use of the way of his own are written. ---|---

2 9 | if($query_data['FileType']=='Attachment'){ ---|---

3 0 | $file_name = $query_data['FileName'];//is override the file name of the God of ---|---

3 1 | } ---|---

3 2 | ---|---

3 3 | //process the data stream ---|---

3 4 | if ($stream = fopen('php://input', 'r')) { //post to get content ---|---

3 5 | // print all the page starting at the offset 1 0 ---|---

3 6 | // echo stream_get_contents($stream, -1, 1 0); ---|---

3 7 | $content = stream_get_contents($stream); ---|---

3 8 | file_put_contents($file_path.$ file_name,$content);//this will write out. Good slag. ---|---

3 9 | fclose($stream); ---|---

4 0 | } ---|---

4 1 | ---|---

4 2 | //include 'UploadFile.class.php'; ---|---

4 3 | ---|---

4 4 | //$up = new UploadFile(); ---|---

4 5 | //$up->upload('./ uploads/'); ---|---

4 6 | //$info = $up->getUploadFileInfo(); ---|---

4 7 | ---|---

4 8 | //echo" ---|---

4 9 | "; ---|---

5 0 | //var_dump($_SERVER); ---|---

5 1 | //var_dump($info); ---|---

5 2 | //echo" ---|---

5 3 | "; ---|---

5 4 | ---|---

5 5 | //Output File ---|---

5 6 | echo SITE_URL. ltrim($file_path.$ file_name,'.'); ---|---

5 7 | } ---|---

[1] [2] next