代码审计-phpdisk未授权文件上传getshell
modules/upload.inc.php:
获取后缀并判断: \phpdisk\includes\function\global.func.php: get_real_ext
function get_real_ext($file_extension){
global $settings;
$file_extension = trim($file_extension);
if($file_extension){
$exts = explode(',',$settings['filter_extension']);
if(in_array($file_extension,$exts)){
$file_ext = '.'.$file_extension.'.txt';
}else{
$file_ext = '.'.$file_extension;
}
}else{
$file_ext = '.txt';
}
return $file_ext;
}
get_real_ext
通过黑名单filter_extension
对后缀进行修改添加.txt防止解析
上传文件名为1.php:$data的话即可getshell:
未授权:
mydisk.php
\phpdisk\includes\class\core.class.phpuser_login():
public static function user_login(){
global $pd_uid,$pd_pwd;
if(!$pd_uid || !$pd_pwd){
header("Location: ".urr("account","action=login&ref=".$_SERVER['REQUEST_URI']));
}
}
只是返回302 没有退出 所以可以不用登录直接传
getshell
:
静有所思,思有所想
------------------------------------------------------------------------------------
mail: 779783493@qq.com