乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-01: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-10-30: 厂商已经主动忽略漏洞,细节向公众公开
简单cms getshell
public function saveAvatar() { session_start (); define ( 'SD_ROOT', dirname ( __FILE__ ) . '/' ); @header ( "Expires: 0" ); @header ( "Cache-Control: private, post-check=0, pre-check=0, max-age=0", FALSE ); @header ( "Pragma: no-cache" ); // 这里传过来会有两种类型,一先一后, big和small, 保存成功后返回一个json字串,客户端会再次post下一个. $type = isset ( $_GET ['type'] ) ? trim ( $_GET ['type'] ) : 'tupian'; $orgin_pic_path = $_GET ['photoServer']; // 原始图片地址,备用.//文件名 // $from = $_GET['from']; // //原始图片地址,备用. $_path = explode ( '/', $orgin_pic_path ); $num = count ( $_path ); $path = '/'; foreach ( $_path as $k => $v ) { if (($k + 1) == $num) { $filename = $v;//赋值 } else { $path .= $v . '/'; } } if ($type == 'big') { $pic_path = '../../../../Uploads/avatar_big/' . $filename;//文件名 } elseif ($type == 'small') { $pic_path = '../../../../Uploads/avatar_small/' . $filename; } else { $msg = json_encode ( 'error img!' ); echo $msg; exit (); } $new_avatar_path = $pic_path; $len = file_put_contents ( SD_ROOT . $new_avatar_path, file_get_contents ( "php://input" ) );//写出 $avtar_img = imagecreatefromjpeg ( SD_ROOT . $new_avatar_path ); imagejpeg ( $avtar_img, SD_ROOT . $new_avatar_path, 80 ); // 输出新保存的图片位置, 测试时注意改一下域名路径, 后面的statusText是成功提示信息. // status 为1 是成功上传,否则为失败. $d = new pic_data (); // $d->data->urls[0] = 'http://sns.com/avatar_test/'.$new_avatar_path; $d->data->urls [0] = $new_avatar_path; $d->status = 1; $d->statusText = '上传成功!'; $msg = json_encode ( $d ); echo $msg; $user_mod = M ( "User" ); $user_mod->where ( "is_del=0 and id=" . $_COOKIE ['id'] )->setField ( 'img', $filename ); @unlink ( SD_ROOT . "../../../../Uploads/avatar_original/" . $_SESSION ['user_img'] ); @unlink ( SD_ROOT . "../../../../Uploads/avatar_big/" . $_SESSION ['user_img'] ); @unlink ( SD_ROOT . "../../../../Uploads/avatar_small/" . $_SESSION ['user_img'] ); }
过滤
未能联系到厂商或者厂商积极拒绝