### 任意文件上传共四处,属于同一个漏洞 文件位置 ``` /webservice/upload.php /webservice/upload/upload.php /webservice-json/upload/upload.php /webservice-xml/upload/upload.php ``` 四处都有如下代码 ``` <?php include_once( "inc/utility_all.php" ); $pathInfor = pathinfo( $_FILES['file']['tmp_name'] ); $extension = $pathInfor['extension']; $role = UPLOADROLE; $pos = $extension ? strpos( $role, strtoupper( $extension ) ) : false; if ( !( $pos === false ) ) { echo "false"; } else { $attachmentID = createfiledir( ); global $ATTACH_PATH; $path = $ATTACH_PATH.$attachmentID; if ( !file_exists( $path ) ) { mkdir( $path, 448 ); } $attachmentName = $_FILES['file']['tmp_name']; $fileName = $path."/".$_FILES['file']['name']; $fileName = iconv( "UTF-8", "GBK", $fileName ); move_uploaded_file( $_FILES['file']['tmp_name'], $fileName ); if ( !file_exists( $fileName ) ) { echo "false"; } else { echo $attachmentID."*".$_FILES['file']['name']; } } ?> ``` 没有对文件有任何验证,无须登陆 文件上传之后的位置是: ``` $path = $ATTACH_PATH.$attachmentID; $fileName =...
### 任意文件上传共四处,属于同一个漏洞 文件位置 ``` /webservice/upload.php /webservice/upload/upload.php /webservice-json/upload/upload.php /webservice-xml/upload/upload.php ``` 四处都有如下代码 ``` <?php include_once( "inc/utility_all.php" ); $pathInfor = pathinfo( $_FILES['file']['tmp_name'] ); $extension = $pathInfor['extension']; $role = UPLOADROLE; $pos = $extension ? strpos( $role, strtoupper( $extension ) ) : false; if ( !( $pos === false ) ) { echo "false"; } else { $attachmentID = createfiledir( ); global $ATTACH_PATH; $path = $ATTACH_PATH.$attachmentID; if ( !file_exists( $path ) ) { mkdir( $path, 448 ); } $attachmentName = $_FILES['file']['tmp_name']; $fileName = $path."/".$_FILES['file']['name']; $fileName = iconv( "UTF-8", "GBK", $fileName ); move_uploaded_file( $_FILES['file']['tmp_name'], $fileName ); if ( !file_exists( $fileName ) ) { echo "false"; } else { echo $attachmentID."*".$_FILES['file']['name']; } } ?> ``` 没有对文件有任何验证,无须登陆 文件上传之后的位置是: ``` $path = $ATTACH_PATH.$attachmentID; $fileName = $path."/".$_FILES['file']['name']; move_uploaded_file( $_FILES['file']['tmp_name'], $fileName ); ``` 四处代码一样,不再重复贴代码。
