当前位置:首页 » 《随便一记》 » 正文

某IP设备代码审计_HBohan的博客

28 人参与  2022年05月04日 13:42  分类 : 《随便一记》  评论

点击全文阅读


偶尔看到一个设备的漏洞挖掘。尝试也看了一下代码。如下:

参考:https://blog.csdn.net/HBohan/article/details/121492754

漏洞一、任意文件上传

<?php

$error = false;
$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");

if ($tmpFilePath != ""){
    $newFilePath = "./files/" . $_FILES['upload']['name'];

    if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
        $newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8"); 
    }

    if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
        $error = true;
    }
}

?>

URL:/upload/my_parser.php

【点击查看学习资料·攻略】

  1. 2000多本网络安全系列电子书
  2. 网络安全标准题库资料
  3. 项目源码
  4. 网络安全基础入门、Linux、web安全、攻防方面的视频
  5. 网络安全学习路线图

参数为upload

image

访问URL:/upload/files/11.php

漏洞二、任意文件上传

URL:/php/addscenedata.php

<?php
    require_once ('conversion.php');

    $arr['res'] = 0;
    $tmpFilePath = $_FILES['upload']['tmp_name'];   
    if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
        $tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
    }

    if ($tmpFilePath != ""){
        $newFilePath = "../images/scene/" . $_FILES['upload']['name'];
        if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
            $newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
        }

        if(move_uploaded_file($tmpFilePath, $newFilePath))
        {
            $arr['res'] = 1;
        }
    }

    echo JSON($arr);

?>

#漏洞三、任意文件写入
URL:/php/uploadjson.php

<?php
    require_once ('conversion.php');

    $arr['res'] = 0;
    $tmpFilePath = $_FILES['upload']['tmp_name'];   
    if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
        $tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");
    }

    if ($tmpFilePath != ""){
        $newFilePath = "../images/scene/" . $_FILES['upload']['name'];
        if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
            $newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
        }

        if(move_uploaded_file($tmpFilePath, $newFilePath))
        {
            $arr['res'] = 1;
        }
    }

    echo JSON($arr);

?>

image

漏洞四、任意文件上传

URL:/php/addupdatefiles.php

<?php

$tmpFilePath = $_FILES['upload']['tmp_name'];
$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");

if ($tmpFilePath != ""){
    $newFilePath = dirname(dirname(dirname(dirname(__FILE__))))."/upload/" . $_FILES['upload']['name'];

    if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){
        $newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");
    }

    if(!move_uploaded_file($tmpFilePath, $newFilePath)) {
        echo '{"res": "1"}';
    } else {
        echo '{"res": "0"}';
    }
}
?>

任意文件读取

/php/getjson.php

<?php
    require_once ('conversion.php');

    $res = '{"res":"0"}';
    $postData = $_POST['jsondata']; 
    if (isset($postData['filename']))
    {   
        $filename = $postData['filename'];      
        // WIN
        $fullpath = dirname(dirname(__FILE__))."\\lan\\".$filename; 
        // Linux
        if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
            $fullpath = dirname(dirname(__FILE__))."/lan/".$filename; 
        }

        if (file_exists($fullpath))
        {
            $json_string = file_get_contents($fullpath);
            $res = '{"res":"1","data":'.$json_string.'}';
        }
    }
    echo $res;
?>

最重要的login.php 来了

最重要的login.php 来了

<?php
    require_once ('conversion.php');

    $postData = $_POST['jsondata'];
    $arr['res'] = 0;

    if (isset($postData['username'])) {
        $user = $postData['username'];
        $pass = $postData['password'];

        if ('800823' == $pass && 'administrator' == $user)
        {
            $arr['username'] = 'administrator';
            $arr['password'] = '800823';
            $arr['display'] = 'administrator';
            $arr['modules'] = '1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1';
            $arr['rights'] = '*';
            $arr['serverrights'] = '*';
            $arr['isadmin'] = '1';
            $arr['bindterminals'] = '';
            $arr['res'] = 1;
            $arr['mainurl'] = 'main';
            $arr['token'] = 'SESSION';
            echo JSON($arr);
        }
        else
        {
            $result = UdpSendAndRecvJson($postData, "login");
            echo $result;
        }
    }
?>

最后
有在学习网络安全的可以点击查看【网络安全学习资料·攻略】


点击全文阅读


本文链接:http://zhangshiyu.com/post/39459.html

<< 上一篇 下一篇 >>

  • 评论(0)
  • 赞助本站

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

关于我们 | 我要投稿 | 免责申明

Copyright © 2020-2022 ZhangShiYu.com Rights Reserved.豫ICP备2022013469号-1