Fashion Uprising Open Source topic microblogging system v.0.4.5 Upload vulnerability

The vulnerability appears in the/action/upload.php file

1<?PHP2 /**3 **4 **by Qiniao5 **/6!defined(' Qiniao_root ') &&Exit(' Access deined! ');7 if($uid= = 0)8 {9 Echo"Please log in and upload your photos!" <a href = ' javascript:history.go (-1); ' > Return </a> ";Ten Exit; One } A $uptypes=Array(  -' Image/jpg ', -' Image/jpeg ', the' Image/png ', -' Image/pjpeg ', -' Image/gif ', -' Image/bmp ', +' Image/x-png ' - ); + if($_post[' Submit ']== ' upload ') A     { at     $file=$_files["Upfile"]; -     $fname=$_files["Upfile"] ["Name"]; -     $fname _array=Explode(‘.‘,$fname); -     $fname=$fname _array[Count($fname _array)-2];//or write $fname = $fname _array[' 0 ']; -     $extend=$fname _array[Count($fname _array)-1];////or write $extend = $fname _array[' 1 ']; -     $MAX _file_size= 512000; in     //to create the picture folder at the current location of the file, to create it in the previous level directory. /picture/"; -      to      +     $dest _folder= ' data/uploadfile/content/'.Date(' YMD '). ' /‘; -      the     if($extend!="") *         { $         if(!In_array($file["Type"],$uptypes))Panax Notoginseng             { -             Echo"Only upload picture Files!" <a href = ' javascript:history.go (-1); ' > Return </a> "; the             Exit; +             } A...

The code line 12th, using $uptypes to define a white list, using the array control allows the upload of the file type, in the 36th if statement line to judge, if the file type is not in the $uptypes array, it is forbidden to upload, but used to judge the $file is in line 23rd by $_files [' Upfile '] is assigned, while the $_files array is controllable on the client.

In the code behind the file to process the upload:

1 if(Move_uploaded_file($_files["Upfile"] ["Tmp_name"],$uploadfile))2             {3             $dest=$dest _folder.$randval.‘.‘.$extend.‘ _view.jpg ';4             chmod($uploadfile, 0755);5             $resizeimage=NewResizeimage ("$uploadfile"," 100 "," 80 "," 1 ","$dest");6             Header(' location:index.php?action=group&id= '.$gid.‘‘);7             }8         Else9             {Ten             Echo"Picture sharing failed!" <a href = ' javascript:history.go (-1); ' > Return </a> "; One}

Will generate two file names, one is the original file name is uploaded, the other is the 3rd line of code, after the original file name is added a ' _view.jpg ' suffix, estimated to be the file name of the thumbnail image.

Poc:

First sign up for an account, and then send a tweet to upload photos

Upload a test file test.php, where there is only one code phpinfo (); Then you need to grab the bag.

Is the content of the original packet, of course, can not upload directly, so that the type of judgment will not pass, upload, you need to change the red box label, change to $uptypes array of any value defined in the

This is the modified packet

Then upload, in the foreground, the mouse moved to the top of the picture, you can see the picture path, PHP file has been uploaded successfully

Access the file directly in the browser

Fashion Uprising Open Source topic microblogging system v.0.4.5 Upload vulnerability