程序介紹:我們毫無保留的告訴你們這個Mymps螞蟻分類信息系統5.6S多城市版網站源碼+新版手機界面純安裝版,去除域名限制,你可以無限制的安裝使用,無功能限制,親測保證穩定運行。此程序部分核心文件是用zend加密的,但不影響使用。如果你安裝不上,原因很簡單就是服務器環境問題。
/member/include/inc_shop.php
if($if_corp == 1){ //??????????? if($ac == 'base'){ if(empty($tname)) write_msg('','?m=shop&type=corp&error=39'); if(empty($areaid)) write_msg('','?m=shop&type=corp&error=40'); $db -> query("UPDATE `{$db_mymps}member` SET tname='$tname',catid='$catids',areaid='$areaid',introduce='$introduce',address='$address',busway='$busway',mappoint='$mappoint',msn='$msn',web='$web' $where AND if_corp = '1'"); write_msg('','?m=shop&type=corp&success=13'); } elseif($ac == 'template') { if($_FILES[$name_file]['name']){ require_once MYMPS_INC.'/upfile.fun.php'; $destination = "/banner/".date('Ym')."/"; $mymps_image = start_upload($name_file,$destination,0,'','',$oldbanner,''); |
前面的ac不用管就是if判斷然後進入操作而已。我們主要看template這裏,獲取$name_file的上傳內容然後傳入start_upload,這裏說一下傳參中可控的有$oldbanner
看下函數內容
function start_upload( $file_name, $destination_folder, $watermark = 0, $limit_width = "", $limit_height = "", $edit_filename = "", $edit_pre_filename = "" ) { global $mymps_global; global $timestamp; if ( !is_uploaded_file( $_FILES[$file_name]['tmp_name'] ) ) { write_msg( "請重新選擇您要上傳的圖片!" ); } $file = $_FILES[$file_name]; @createdir( MYMPS_UPLOAD.$destination_folder ); $file_name = $file['tmp_name']; $pinfo = pathinfo( $file['name'] ); $ftype = $pinfo['extension']; $fname = $pinfo[basename]; if ( empty( $edit_filename ) && empty( $edit_pre_filename ) ) { $destination_file = $timestamp.random( ).".".$ftype; $destination = MYMPS_UPLOAD.$destination_folder.$destination_file; $small_destination = MYMPS_UPLOAD.$destination_folder."pre_".$destination_file; } else { $destination = MYMPS_ROOT.$edit_filename; $small_destination = MYMPS_ROOT.$edit_pre_filename; $forbidarray = array( MYMPS_ROOT."/images/logo.gif", MYMPS_ROOT."/images/nopic.gif", MYMPS_ROOT."/images/nophoto.jpg", MYMPS_ROOT."/images/noavatar.gif", MYMPS_ROOT."/images/noavatar_small.gif" ); if ( !in_array( $destination, $forbidarray ) || $destination != MYMPS_ROOT ) { @unlink( $destination ); } if ( !in_array( $small_destination, $forbidarray ) || $destination != MYMPS_ROOT ) { @unlink( $small_destination ); } unset( $forbidarray ); } if ( file_exists( $destination ) ) { write_msg( "同名圖片已存在,請重新選擇您要上傳的圖片!" ); } if ( !move_uploaded_file( $file_name, $destination ) ) { write_msg( "圖片上傳失敗,請重新選擇您要上傳的圖片!" ); } |
看這裏
$file = $_FILES[$file_name]; @createdir( MYMPS_UPLOAD.$destination_folder ); $file_name = $file['tmp_name']; $pinfo = pathinfo( $file['name'] ); $ftype = $pinfo['extension']; $fname = $pinfo[basename]; |
先是獲取了文件內容然後獲取了文件後綴以及文件名這些
{ $destination = MYMPS_ROOT.$edit_filename; $small_destination = MYMPS_ROOT.$edit_pre_filename; $forbidarray = array( MYMPS_ROOT."/images/logo.gif", MYMPS_ROOT."/images/nopic.gif", MYMPS_ROOT."/images/nophoto.jpg", MYMPS_ROOT."/images/noavatar.gif", MYMPS_ROOT."/images/noavatar_small.gif" ); |
這裏的edit與edit_pre講道理的是非空所以進入了該if進行後綴以及路徑拼接(期間並無任何效驗)
<p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;">if ( file_exists( $destination ) )</span><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"> {</span><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"> write_msg( "<font face="宋體">同名圖片已存在,請重新選擇您要上傳的圖片!</font><font face="Courier New">" );</font></span><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"> }</span><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"> if ( !move_uploaded_file( $file_name, $destination ) )</span><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"> {</span><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"> write_msg( "<font face="宋體">圖片上傳失敗,請重新選擇您要上傳的圖片!</font><font face="Courier New">" );</font></span><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"><o:p></o:p></span></p><p class="MsoNormal" style="text-indent:20.0000pt;"><span style="mso-spacerun:'yes';font-family:宋體;mso-ascii-font-family:'Courier New';mso-hansi-font-family:'Courier New';mso-bidi-font-family:'Times New Roman';color:rgb(0,0,0);font-size:10.0000pt;mso-font-kerning:1.0000pt;"> }</span></p> |
下面接着判斷了是否存在相同名如果不存在同名則直接上傳。
本地復現:
Old我們指定的文件名
不過印象中我並不記得螞蟻分類會存在這個漏洞啊!!抱着各種心情多看一下.隨便看一個
發現除了我們那個每個上面都會有一個check_upimage的調用 看看怎麼回事