简单CMS Getshell漏洞

[php]public function saveAvatar() {

session_start ();

define ( 'SD_ROOT', dirname ( __FILE__ ) . '/' );

@header ( "Expires: 0" );

@header ( "Cache-Control: private, post-check=0, pre-check=0, max-age=0", FALSE );

@header ( "Pragma: no-cache" );

// 这里传过来会有两种类型,一先一后, big和small, 保存成功后返回一个json字串,客户端会再次post下一个.

$type = isset ( $_GET ['type'] ) ? trim ( $_GET ['type'] ) : 'tupian';

$orgin_pic_path = $_GET ['photoServer']; // 原始图片地址,备用.//文件名

// $from = $_GET['from'];

// //原始图片地址,备用.

$_path = explode ( '/', $orgin_pic_path );

$num = count ( $_path );

$path = '/';

foreach ( $_path as $k => $v ) {

if (($k + 1) == $num) {

$filename = $v;//赋值

} else {

$path .= $v . '/';

}

}

if ($type == 'big') {

$pic_path = '../../../../Uploads/avatar_big/' . $filename;//文件名

} elseif ($type == 'small') {

$pic_path = '../../../../Uploads/avatar_small/' . $filename;

} else {

$msg = json_encode ( 'error img!' );

echo $msg;

exit ();

}

$new_avatar_path = $pic_path;

$len = file_put_contents ( SD_ROOT . $new_avatar_path, file_get_contents ( "php://input" ) );//写出

$avtar_img = imagecreatefromjpeg ( SD_ROOT . $new_avatar_path );

imagejpeg ( $avtar_img, SD_ROOT . $new_avatar_path, 80 );

// 输出新保存的图片位置, 测试时注意改一下域名路径, 后面的statusText是成功提示信息.

// status 为1 是成功上传,否则为失败.

$d = new pic_data ();

// $d->data->urls[0] = 'http://sns.com/avatar_test/'.$new_avatar_path;

$d->data->urls [0] = $new_avatar_path;

$d->status = 1;

$d->statusText = '上传成功!';

$msg = json_encode ( $d );

echo $msg;

$user_mod = M ( "User" );

$user_mod->where ( "is_del=0 and id=" . $_COOKIE ['id'] )->setField ( 'img', $filename );

@unlink ( SD_ROOT . "../../../../Uploads/avatar_original/" . $_SESSION ['user_img'] );

@unlink ( SD_ROOT . "../../../../Uploads/avatar_big/" . $_SESSION ['user_img'] );

@unlink ( SD_ROOT . "../../../../Uploads/avatar_small/" . $_SESSION ['user_img'] );
[/php]

发表评论