文章转载于先知社区,作者:jdr
原文链接:https://xz.aliyun.com/t/10470
领导通知,让我打十天攻防,前四天,平平无奇,两个权限,web系统都是外包的,没打进核心内网。
burpsuite
的intruter
模块的payload
中,并去掉payload encoding
前面的勾。action_picUpload
public function action_picUpload(){
$error=0;
if (isset($_FILES['thumb'])){
$photo=$_FILES['thumb'];
if(substr($photo['type'], 0, 5) == 'image') {
switch ($photo['type']) {
case 'image/jpeg':
case 'image/jpg':
case 'image/pjpeg':
$ext = '.jpg';
break;
case 'image/gif':
$ext = '.gif';
break;
case 'image/png':
case 'image/x-png':
$ext = '.png';
break;
default:
$error=-1;
break;
}
if($error==0){
$time=SYS_TIME;
$year=date('Y',$time);
$month=date('m',$time);
$day=date('d',$time);
$pathInfo=upFileFolders($time);
$dstFolder=$pathInfo['path'];
$dstFile=ABS_PATH.'upload'.DIRECTORY_SEPARATOR.'temp'.$ext;
//the size of file uploaded must under 1M
if($photo['size']>2000000){
$error=-2;
return $error;
}
}else {
return $error;
}
//if no error
if($error==0){
$rand=randStr(4);
//delete primary files
if(file_exists($dstFolder.$time.$rand.$ext)){
unlink($dstFolder.$time.$rand.$ext);
}
if ($ext!='.gif'&&$ext!='.png'){
//save the temporary file
move_uploaded_file($photo['tmp_name'],$dstFile);
$imgInfo=getimagesize($dstFile);
//generate new files
$imageWidth=intval($_POST['width'])!=0?intval($_POST['width']):$imgInfo[0];
$imageHeight=intval($_POST['height'])!=0?intval($_POST['height']):$imgInfo[1];
bpBase::loadSysClass('image');
image::zfResize($dstFile,$dstFolder.$time.$rand.'.jpg',$imageWidth,$imageHeight,1|4,2);
$ext='.jpg';
//
}else {
move_uploaded_file($photo['tmp_name'],$dstFolder.$time.$rand.$ext);
}
if (isset($_POST['channelid'])){//内容缩略图
$channelObj=bpBase::loadAppClass('channelObj','channel');
$thisChannel=$channelObj->getChannelByID($_POST['channelid']);
$articleObj=bpBase::loadAppClass('articleObj','article');
$articleObj->setOtherThumb($thisChannel,$dstFile,$dstFolder,$time.$rand,'jpg');
}
if ($ext!='.gif'&&$ext!='.png'){
@unlink($dstFile);
}
$location='http://'.$_SERVER['HTTP_HOST'].CMS_DIR_PATH.'/upload/images/'.$year.'/'.$month.'/'.$day.'/'.$time.$rand.$ext;
$error=0;
}
}else {
$error=-1;
}
}else {
$error=-1;
}
if ($error==0){
echo $location;
}else {
$errors=array(-1=>'你上传的不是图片',-2=>'文件不能超过2M',-3=>'图片地址不正确');
echo $errors[intval($error)];
}
}
action_picUpload的逻辑是,上传的图片文件时,name=thumb,content-type的值为switch选择结构中的image/jpg时,指定上传后,文件的后缀名ext是jpg。文件名的命名是随机的,根据时间指定。
action_flashUpload
name
的值是filepath
,并且content-type
的值是flash格式时,能够上传成功,上传后的后缀名是由filename
的文件名后缀来确定的。private function export_database($tables,$sqlcompat,$sqlcharset,$sizelimit,$action,$fileid,$random,$tableid,$startfrom) {
$dumpcharset = $sqlcharset ? $sqlcharset : str_replace('-', '', DB_CHARSET);
$fileid = ($fileid != '') ? $fileid : 1;
if($fileid==1 && $tables) {
if(!isset($tables) || !is_array($tables)) showMessage('请选择要备份的表');
$random = mt_rand(1000, 9999);
setCache('backupTables',serialize($tables));
} else {
if(!$tables = unserialize(getCache('backupTables'))) showMessage('请选择要备份的表');
}
if($sqlcharset) {
$this->db->query("SET NAMES '".$sqlcharset."';\n\n");
}
$tabledump = '';
$tableid = ($tableid!= '') ? $tableid - 1 : 0;
$startfrom = ($startfrom != '') ? intval($startfrom) : 0;
for($i = $tableid; $i < count($tables) && strlen($tabledump) < $sizelimit * 1000; $i++) {
global $startrow;
$offset = 100;
if(!$startfrom) {
if($tables[$i]!=AUTO_TABLE_PREFIX.'session') {
$tabledump .= "DROP TABLE IF EXISTS `$tables[$i]`;\n";
}
$createtable = $this->db->query("SHOW CREATE TABLE `$tables[$i]` ");
$create = $this->db->fetch_next();
$tabledump .= $create['Create Table'].";\n\n";
$this->db->free_result($createtable);
if($sqlcompat == 'MYSQL41' && $this->db->version() < '4.1') {
$tabledump = preg_replace("/TYPE\=([a-zA-Z0-9]+)/", "ENGINE=\\1 DEFAULT CHARSET=".$dumpcharset, $tabledump);
}
if($this->db->version() > '4.1' && $sqlcharset) {
$tabledump = preg_replace("/(DEFAULT)*\s*CHARSET=[a-zA-Z0-9]+/", "DEFAULT CHARSET=".$sqlcharset, $tabledump);
}
if($tables[$i]==AUTO_TABLE_PREFIX.'session') {
$tabledump = str_replace("CREATE TABLE `".DB_PRE."session`", "CREATE TABLE IF NOT EXISTS `".DB_PRE."session`", $tabledump);
}
}
$numrows = $offset;
while(strlen($tabledump) < $sizelimit * 1000 && $numrows == $offset) {
if($tables[$i]==AUTO_TABLE_PREFIX.'session') break;
$sql = "SELECT * FROM `$tables[$i]` LIMIT $startfrom, $offset";
$numfields = $this->db->num_fields($sql);
$numrows = $this->db->num_rows($sql);
$fields_name = $this->db->get_fields($tables[$i]);
$rows = $this->db->query($sql);
$name = array_keys($fields_name);
$r = array();
while ($row = $this->db->fetch_next()) {
$r[] = $row;
$comma = "";
$tabledump .= "INSERT INTO `$tables[$i]` VALUES(";
for($j = 0; $j < $numfields; $j++) {
$tabledump .= $comma."'".mysql_real_escape_string($row[$name[$j]])."'";
$comma = ",";
}
$tabledump .= ");\n";
}
$this->db->free_result($rows);
$startfrom += $offset;
}
$tabledump .= "\n";
$startrow = $startfrom;
$startfrom = 0;
}
if(trim($tabledump)) {
$tabledump = "# time:".date('Y-m-d H:i:s')."\n# bupu auto system:http://www.bupu.net\n# --------------------------------------------------------\n\n\n".$tabledump;
$tableid = $i;
$filename = date('Ymd').'_'.$random.'_'.$fileid.'.sql';
$altid = $fileid;
$fileid++;
$backUpFolder=ABS_PATH.DIRECTORY_SEPARATOR.'backup';
if (!file_exists($backUpFolder)&&!is_dir($backUpFolder)){
mkdir($backUpFolder,0777);
}
$bakfile_path = ABS_PATH.'backup'.DIRECTORY_SEPARATOR.'data'.date('Y-m-d',SYS_TIME);
if (!file_exists($bakfile_path)&&!is_dir($bakfile_path)){
mkdir($bakfile_path,0777);
}
$bakfile = $bakfile_path.DIRECTORY_SEPARATOR.$filename;
if(!is_writable($bakfile_path)) showMessage('backup文件夹不可写');
file_put_contents($bakfile, $tabledump);
@chmod($bakfile, 0777);
showmessage('正在备份,请不要关闭浏览器'." $filename ", '?m=manage&c=database&a=action_export&sizelimit='.$sizelimit.'&sqlcompat='.$sqlcompat.'&sqlcharset='.$sqlcharset.'&tableid='.$tableid.'&fileid='.$fileid.'&startfrom='.$startrow.'&random='.$random.'&allow='.$allow);
} else {
$bakfile_path = ABS_PATH.'backup'.DIRECTORY_SEPARATOR.'database';
//file_put_contents($bakfile_path.DIRECTORY_SEPARATOR.'index.html','');
delCache('backupTables');
showmessage('备份成功,数据备份在了“/backup/data'.date('Y-m-d',SYS_TIME).'”文件夹中');
}
}
admin.php
这个入口文件给删了。牛逼牛逼。推荐阅读
点赞 在看 评论