代码审计-phpdisk未授权文件上传getshell

modules/upload.inc.php:

获取后缀并判断: \phpdisk\includes\function\global.func.php: get_real_ext

function get_real_ext($file_extension){
	global $settings;
	$file_extension = trim($file_extension);
	if($file_extension){
		$exts = explode(',',$settings['filter_extension']);
		if(in_array($file_extension,$exts)){
			$file_ext = '.'.$file_extension.'.txt';
		}else{
			$file_ext = '.'.$file_extension;
		}
	}else{
		$file_ext = '.txt';
	}
	return $file_ext;
}

get_real_ext通过黑名单filter_extension对后缀进行修改添加.txt防止解析

上传文件名为1.php:$data的话即可getshell:

未授权:
mydisk.php

\phpdisk\includes\class\core.class.phpuser_login():

	public static function user_login(){
		global $pd_uid,$pd_pwd;
		if(!$pd_uid || !$pd_pwd){
			header("Location: ".urr("account","action=login&ref=".$_SERVER['REQUEST_URI']));
		}
	}

只是返回302 没有退出 所以可以不用登录直接传

getshell: