海盗云商前台getshell

在会员头像上传处

        public function avatar() {
if(checksubmit('dosubmit')) {
if(empty($_GET['avatar'])) {
showmessage('请上传头像','',0);
}
$avatar = $_GET['avatar'];
$x = (int) $_GET['x'];
$y = (int) $_GET['y'];
$w = (int) $_GET['w'];
$h = (int) $_GET['h'];
if(is_file($avatar) && file_exists($avatar)) {
$ext = strtolower(pathinfo($avatar, PATHINFO_EXTENSION));
$name = basename($avatar, '.'.$ext);
$dir = dirname($avatar);
if(in_array($ext, array('gif','jpg','jpeg','bmp','png'))) {
$name = $name.'_crop_200_200.'.$ext;
$file = $dir.'/'.$name;
$image = new image($avatar);
$image->crop($w, $h, $x, $y, 200, 200);
$image->save($file);
if(file_exists($file)) {
$avatar = getavatar($this->member['id'], false);
dir::create(dirname($avatar));
@rename($file, $avatar);
showmessage('头像更换成功','',1);
} else {
showmessage('头像数据裁剪失败','',0);
}
} else {
showmessage('请勿上传非法图片','',0);
}
} else {
showmessage('头像数据异常','',0);
}
} else {
$SEO = seo('修改头像 - 会员中心');
$attachment_init = attachment_init(array('module' => 'member', 'mid' => $this->member['id']));
include template('account_avatar');
}
}
}

可以看到上传的头像跟
$avatar = $_GET['avatar'];有关切只验证上传文件的后缀

那么xx.php%00.jpg gif都可以

这里只能上传一个图片马,单单的php代码会被渲染
11
修改两处,可以看到成功截断了.

海盗云商:http://www.haidao.la/

发表评论