代码审计 | CNVD 1day Emlog_pro 任意文件上传2则
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">免责声明</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因为</span>传播、利用本公众号所<span style="color: black;">供给</span>的信息而<span style="color: black;">导致</span>的任何直接<span style="color: black;">或</span>间接的后果及损失,均由<span style="color: black;">运用</span>者<span style="color: black;">自己</span>负责,公众号及作者不为此承担任何责任,一旦<span style="color: black;">导致</span>后果请<span style="color: black;">自动</span>承担!如有侵权烦请<span style="color: black;">通知</span>,<span style="color: black;">咱们</span>会立即删除并致歉。谢谢!</p><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azJZJ4pVQHOicqtkQntqLduTfPaVvVnZ4iaGc0DaBeQqNoicYUrzzyOpIsJWbSgNUqV3SodRwKFOIq3Lw/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">欢迎关注本公众号,<span style="color: black;">长时间</span>推送技术<span style="color: black;">文案</span></p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">前言</span></h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">前段时间给<span style="color: black;">大众</span>分享了一篇关于Emlog的SQL注入的代码审计,今天继续给<span style="color: black;">大众</span>分享一篇关于emlog的代码审计<span style="color: black;">文案</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">以下两则该漏洞均属于<strong style="color: blue;">后台任意文件上传</strong>,两则思路是<span style="color: black;">同样</span>的,只是上传的位置<span style="color: black;">区别</span>,用来学习代码审计思路<span style="color: black;">亦</span>是蛮好的</span></p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">环境配置</span></h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">影响版本:emlog emlog pro 2.2.0</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">漏洞存在位置:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">emlog pro /admin/plugin.php存在任意文件上传漏洞</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">emlog pro /content/templates/存在任意文件上传漏洞</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYo02NRHX8m3Chh6pxG7U6jZcMuLj8iaS36t7ymnibtlYZLAn5D6dJyYfPw/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoaiadOnVQSyvmlCdTB7eFLO9cVNQN1x5Jlb92SPumia8bRzedLvhd0sTg/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">Emlog官网下载存在漏洞版本的源码:</span></p><span style="color: black;"> <span style="color: black;">https:</span>/<span style="color: black;">/github.com/emlog</span><span style="color: black;">/emlog/releases</span></span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYodHkFocfwsTZuTwYtS9d60RoeYbTTPHrjF0gY5HvxqLl2zUu9joytWA/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">运用</span>PhpStudy进行搭建,配置数据库信息,搭建完成界面如下。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYokccKnjbmrVribj7jXLHKUbrUMZsfQLRWzMvFStK8Yuv27rO1xqyTw9w/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoQYSjib4aJCLmZkxl444iajAfDLgDBMahhPhibEP2qGCQxxjw5vwcrJE4w/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">代码审计</span></h2>
<h3 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">CNVD-2023-74535</span></h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">按照</span>提示emlog pro/admin/plugin.php存在任意文件上传漏洞,远程攻击者可利用该漏洞提交特殊的请求,可上传恶意文件,以应用程序上下文执行任意代码。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们先<span style="color: black;">瞧瞧</span>网页长什么样子</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYo5cfOgoBbWSulHbdcD7Igx0xRmh6hOyHw9YQQg33uibrQhkxA1dnPkNA/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿有个上传的,按黑盒测试<span style="color: black;">来讲</span>,<span style="color: black;">第1</span>反应<span style="color: black;">便是</span><span style="color: black;">这儿</span>的问题,测就完啦</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">此刻</span>咱们是有源码的,瞅瞅这个文件,<span style="color: black;">这儿</span>有个小技巧,咱们<span style="color: black;">能够</span>查看这个安装插件,<span style="color: black;">瞧瞧</span>这个<span style="color: black;">位置</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoH3SGZesjZNNF7NHca4xsopyMFcYbUNGric33ib0ozlod1WNmWmcC3FSg/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">这儿</span>咱们<span style="color: black;">能够</span><span style="color: black;">晓得</span>,上传的函数在upload_zip里面</span></p><span style="color: black;"><span style="color: black;">if</span> ($action == <span style="color: black;">upload_zip</span>) {</span><span style="color: black;"> LoginAuth::checkToken();</span><span style="color: black;"> $zipfile = <span style="color: black;">isset</span>($_FILES[<span style="color: black;">pluzip</span>]) ? $_FILES[<span style="color: black;">pluzip</span>] : ;</span><span style="color: black;"> <span style="color: black;">if</span> ($zipfile[<span style="color: black;">error</span>] == <span style="color: black;">4</span>) {</span><span style="color: black;"> emDirect(<span style="color: black;">"./plugin.php?error_d=1"</span>);</span><span style="color: black;"> }</span><span style="color: black;"> <span style="color: black;">if</span> ($zipfile[<span style="color: black;">error</span>] == <span style="color: black;">1</span>) {</span><span style="color: black;"> emDirect(<span style="color: black;">"./plugin.php?error_g=1"</span>);</span><span style="color: black;"> }</span><span style="color: black;"> <span style="color: black;">if</span>(!$zipfile || $zipfile[<span style="color: black;">error</span>] >= <span style="color: black;">1</span> || <span style="color: black;">empty</span>($zipfile[<span style="color: black;">tmp_name</span>])) {</span><span style="color: black;"> emMsg(<span style="color: black;">插件上传失败, 错误码:</span> . $zipfile[<span style="color: black;">error</span>]);</span><span style="color: black;"> }</span><span style="color: black;"> <span style="color: black;">if</span> (getFileSuffix($zipfile[<span style="color: black;">name</span>]) != <span style="color: black;">zip</span>) {</span><span style="color: black;"> emDirect(<span style="color: black;">"./plugin.php?error_f=1"</span>);</span><span style="color: black;"> }</span><span style="color: black;"> $ret = emUnZip($zipfile[<span style="color: black;">tmp_name</span>], <span style="color: black;">../content/plugins/</span>, <span style="color: black;">plugin</span>);</span><span style="color: black;"> <span style="color: black;">switch</span> ($ret) {</span><span style="color: black;"> <span style="color: black;">case</span> <span style="color: black;">0</span>:</span><span style="color: black;"> emDirect(<span style="color: black;">"./plugin.php?activate_install=1"</span>);</span><span style="color: black;"> <span style="color: black;">break</span>;</span><span style="color: black;"> <span style="color: black;">case</span> <span style="color: black;">-1</span>:</span><span style="color: black;">emDirect(<span style="color: black;">"./plugin.php?error_e=1"</span>);</span><span style="color: black;"> <span style="color: black;">break</span>;</span><span style="color: black;"> <span style="color: black;">case</span> <span style="color: black;">1</span>:</span><span style="color: black;"> <span style="color: black;">case</span> <span style="color: black;">2</span>:</span><span style="color: black;"> emDirect(<span style="color: black;">"./plugin.php?error_b=1"</span>);</span><span style="color: black;"> <span style="color: black;">break</span>;</span><span style="color: black;"> <span style="color: black;">case</span> <span style="color: black;">3</span>:</span><span style="color: black;"> emDirect(<span style="color: black;">"./plugin.php?error_c=1"</span>);</span><span style="color: black;"> <span style="color: black;">break</span>;</span><span style="color: black;"> }</span><span style="color: black;"> }</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">大体查看一番,<span style="color: black;">这儿</span><span style="color: black;">便是</span>检测上传的文件必须是zip,<span style="color: black;">而后</span><span style="color: black;">便是</span>直接解压,<span style="color: black;">这儿</span>咱们尝试写一个phpinfo,<span style="color: black;">而后</span>将其进行压缩测试</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoiagRjNMUgPFFpJIQ5p07urIiaGY46tos87KTibT0zUCzsP4icjjswLCuWg/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">将其进行压缩</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoIWMtk1W47XH9D1uE2RFWtaVROjQj2SiauqNtl4mXTYLIaSjDBgu9hfw/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">提示上传失败</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoiamCH9w6WHWUDTrQkibVBnoCNFjaVv28tXcxr80SYic6yCIKK3iacGwlKA/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">按照</span>这个提示,定位代码的位置</span></p><span style="color: black;"> <span style="color: black;"><?php</span> <span style="color: black;">if</span> (<span style="color: black;">isset</span>($_GET[<span style="color: black;">error_e</span>])): <span style="color: black;">?></span></span><span style="color: black;"> <span style="color: black;"><<span style="color: black;">div</span> <span style="color: black;">class</span>=<span style="color: black;">"alert alert-danger"</span>></span>安装失败,插件安装包不符合标准<span style="color: black;"></<span style="color: black;">div</span>></span><span style="color: black;"><?php</span> <span style="color: black;">endif</span> <span style="color: black;">?></span></span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">继续查看这个error_e,这个是一个<span style="color: black;">按照</span>emUnZip返回值进行判断的</p><span style="color: black;"> <span style="color: black;">$ret</span> = emUnZip(<span style="color: black;">$zipfile</span>[<span style="color: black;">tmp_name</span>], <span style="color: black;">../content/plugins/</span>, <span style="color: black;">plugin</span>);</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">继续跟踪这个emUnZip函数,<span style="color: black;">能够</span><span style="color: black;">发掘</span>他需要获取一个路径$dir,<span style="color: black;">然则</span>咱们的压缩包里面<span style="color: black;">便是</span>一个文件,<span style="color: black;">因此</span>报错</p><span style="color: black;"><span style="color: black;"><span style="color: black;">function</span> <span style="color: black;">emUnZip</span><span style="color: black;">($zipfile, $path, $type = <span style="color: black;">tpl</span>)</span> </span>{</span><span style="color: black;"> <span style="color: black;">if</span> (!class_exists(<span style="color: black;">ZipArchive</span>, <span style="color: black;">FALSE</span>)) {</span><span style="color: black;"> <span style="color: black;">return</span> <span style="color: black;">3</span>;<span style="color: black;">//zip模块问题</span></span><span style="color: black;"> }</span><span style="color: black;"> $zip = <span style="color: black;">new</span> ZipArchive();</span><span style="color: black;"> <span style="color: black;">if</span>(@$zip->open($zipfile) !==<span style="color: black;">TRUE</span>) {</span><span style="color: black;"> <span style="color: black;">return</span> <span style="color: black;">2</span>;<span style="color: black;">//文件权限问题</span></span><span style="color: black;"> }</span><span style="color: black;"> $r = explode(<span style="color: black;">/</span>, $zip->getNameIndex(<span style="color: black;">0</span>), <span style="color: black;">2</span>);</span><span style="color: black;"> $dir = <span style="color: black;">isset</span>($r[<span style="color: black;">0</span>]) ? $r[<span style="color: black;">0</span>] . <span style="color: black;">/</span> : ;</span><span style="color: black;"> <span style="color: black;">switch</span> ($type) {</span><span style="color: black;"> <span style="color: black;">case</span> <span style="color: black;">tpl</span>:</span><span style="color: black;">$re = $zip->getFromName($dir .<span style="color: black;">header.php</span>);</span><span style="color: black;"> <span style="color: black;">if</span> (<span style="color: black;">false</span> === $re) {</span><span style="color: black;"> <span style="color: black;">return</span> <span style="color: black;">-2</span>;</span><span style="color: black;"> }</span><span style="color: black;"> <span style="color: black;">break</span>;</span><span style="color: black;"> <span style="color: black;">case</span> <span style="color: black;">plugin</span>:</span><span style="color: black;"> $plugin_name = substr($dir, <span style="color: black;">0</span>, <span style="color: black;">-1</span>);</span><span style="color: black;">$re = $zip->getFromName($dir . $plugin_name .<span style="color: black;">.php</span>);</span><span style="color: black;"> <span style="color: black;">if</span> (<span style="color: black;">false</span> === $re) {</span><span style="color: black;"> <span style="color: black;">return</span> <span style="color: black;">-1</span>;</span><span style="color: black;"> }</span><span style="color: black;"> <span style="color: black;">break</span>;</span><span style="color: black;"> <span style="color: black;">case</span> <span style="color: black;">backup</span>:</span><span style="color: black;"> $sql_name = substr($dir, <span style="color: black;">0</span>, <span style="color: black;">-1</span>);</span><span style="color: black;"> <span style="color: black;">if</span> (getFileSuffix($sql_name) != <span style="color: black;">sql</span>) {</span><span style="color: black;"> <span style="color: black;">return</span> <span style="color: black;">-3</span>;</span><span style="color: black;"> }</span><span style="color: black;"> <span style="color: black;">break</span>;</span><span style="color: black;"> <span style="color: black;">case</span> <span style="color: black;">update</span>:</span><span style="color: black;"> <span style="color: black;">break</span>;</span><span style="color: black;"> }</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">咱们重新构建一下压缩包</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoZtB80V2Akl6ply9AxtibdOpjn3OBRia2wHuIdnnraHdYIar74VKibWTtw/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">此刻</span>压缩包结构为shell/shell.php,重新上传</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoxBHn6XictBEI0X40RZBuTtGT2VFiclx2SRkntaE2JMJF44adlhGPLlEA/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">成功上传,<span style="color: black;">这儿</span>并<span style="color: black;">无</span>什么提示,<span style="color: black;">不外</span><span style="color: black;">这儿</span>咱们<span style="color: black;">能够</span>查看源码路径结构,<span style="color: black;">或</span>直接复制插件源码进行压缩就<span style="color: black;">能够</span>看见了</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYo3FCsmmnibESC92XUJ2XFI34yY4cdGC7WYAUibAWoa803GKVJR9FsicUjA/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们想的是合适的,<span style="color: black;">拜访</span><span style="color: black;">位置</span>http://127.0.0.1:81/content/plugins/shell/shell.php</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoxH0cHbrTxPElt5J4xOdy7AUpkMCIBkLiaBW3ceMBSgYTlMEnJENlC9w/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">CNVD-2023-74536</span></h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">按照</span>漏洞提示emlog pro/content/templates/存在任意文件上传漏洞,远程攻击者可利用该漏洞提交特殊的请求,可上传恶意文件,以应用程序上下文执行任意代码。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">查看这个文件所在的网页</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYocTwIAgIq7txNyppQxmyfUbtyalIjzVvjOsHIhSh5fHgcNtg1kOUOOA/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">和<span style="color: black;">以上</span>漏洞<span style="color: black;">同样</span>的页面,估计漏洞<span style="color: black;">亦</span>是<span style="color: black;">同样</span>的<span style="color: black;">规律</span>,查看这个上传<span style="color: black;">位置</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azIn9Zb24QeRZiaSRKNIeDtYoWje1ibaKHrmdMWEFS2giaSSeVI7FGol0f804A8kA4eqw5NDmP9TMv7AA/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">调用的同一个函数upload_zip,就不继续跟踪啦</span></p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">总结</span></h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">感谢<span style="color: black;">大众</span>看到<span style="color: black;">这儿</span>,<span style="color: black;">文案</span>写的必要啰嗦,<span style="color: black;">大众</span>请多多包涵。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">关于文件上传,<span style="color: black;">大众</span><span style="color: black;">能够</span>多关注一下函数,例如</span><span style="color: black;">$_FILES</span><span style="color: black;">、</span><span style="color: black;">move_uploaded_file</span><span style="color: black;">、</span><span style="color: black;">is_uploaded_file</span><span style="color: black;">等,以及直接搜索</span><span style="color: black;">上传</span><span style="color: black;">、文件</span><span style="color: black;">upload.php</span><span style="color: black;">都是<span style="color: black;">能够</span>的,特征点比较<span style="color: black;">显著</span>,咱们只需要<span style="color: black;">重视</span>过滤以及<span style="color: black;">各样</span>限制</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">以上只是鄙人的一点拙见,各位师傅<span style="color: black;">瞧瞧</span>就行,嘿嘿</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azLbE8HiaQapVkBwypwXhsmWWEwZyOx2Frhw9bDjyRnVSMtubJkZJY9NX2Hw8Igx7fDmuZnYXzPUvDA/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azK0JBUq0N1g9hpXvZiaWm32V2kibRficfdehadlNxb8ibickibcgHFOr9FXF5qibRy3pDw984iaZP8InvejUQ/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/sz_mmbiz_png/7fvjX482azLbE8HiaQapVkBwypwXhsmWWIeRcq6YEVCz34iaGfFO9szMUx9oTJSber8Gibib6FRiblIOQyiapUIBv35Q/640?wx_fmt=png&from=appmsg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">往期精彩:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">代码审计 | CNVD Emlog_Pro的二次SQL注入漏洞</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">干货 | SRC挖掘中容易被忽略的细节</a></p>
楼主听话,多发外链好处多,快到碗里来!外链论坛 http://www.fok120.com/ 外链论坛的成功举办,是与各位领导、同仁们的关怀和支持分不开的。在此,我谨代表公司向关心和支持论坛的各界人士表示最衷心的感谢! 太棒了、厉害、为你打call、点赞、非常精彩等。 对于这个问题,我有不同的看法... 交流如星光璀璨,点亮思想夜空。
页:
[1]