webuploader组件上传漏洞 路径根据实际的来
webuploader/0.1.5/server/preview
代码部分
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 <?php $DIR = 'preview' ;if (!file_exists($DIR )) { @mkdir($DIR ); } $cleanupTargetDir = true ; $maxFileAge = 5 * 3600 ; if ($cleanupTargetDir ) { if (!is_dir($DIR ) || !$dir = opendir($DIR )) { die ('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "Failed to open temp directory."}, "id" : "id"}' ); } while (($file = readdir($dir )) !== false ) { $tmpfilePath = $DIR . DIRECTORY_SEPARATOR . $file ; if (@filemtime($tmpfilePath ) < time() - $maxFileAge ) { @unlink($tmpfilePath ); } } closedir($dir ); } $src = file_get_contents('php://input' );if (preg_match("#^data:image/(\w+);base64,(.*)$#" , $src , $matches )) { $previewUrl = sprintf( "%s://%s%s" , isset ($_SERVER ['HTTPS' ]) && $_SERVER ['HTTPS' ] != 'off' ? 'https' : 'http' , $_SERVER ['HTTP_HOST' ], $_SERVER ['REQUEST_URI' ] ); $previewUrl = str_replace("preview.php" , "" , $previewUrl ); $base64 = $matches [2 ]; $type = $matches [1 ]; if ($type === 'jpeg' ) { $type = 'jpg' ; } $filename = md5($base64 ).".$type " ; $filePath = $DIR .DIRECTORY_SEPARATOR.$filename ; if (file_exists($filePath )) { die ('{"jsonrpc" : "2.0", "result" : "' .$previewUrl .'preview/' .$filename .'", "id" : "id"}' ); } else { $data = base64_decode($base64 ); file_put_contents($filePath , $data ); die ('{"jsonrpc" : "2.0", "result" : "' .$previewUrl .'preview/' .$filename .'", "id" : "id"}' ); } } else { die ('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "un recoginized source"}}' ); }
payload
1 data:image/php;base64,(base64_payload)
wechat
alipay
