偶爾看到一個設備的漏洞挖掘。嘗試也看了一下代碼。如下：

參考：https://blog.csdn.net/HBohan/article/details/121492754

漏洞一、任意文件上傳

<?php$error = false; $tmpFilePath = $_FILES['upload']['tmp_name']; $tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");if ($tmpFilePath != ""){$newFilePath = "./files/" . $_FILES['upload']['name'];if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8"); }if(!move_uploaded_file($tmpFilePath, $newFilePath)) {$error = true;} }?>

URL：/upload/my_parser.php

【點擊查看學習資料·攻略】

2000多本網絡安全系列電子書

網絡安全標準題庫資料

項目源碼

網絡安全基礎入門、Linux、web安全、攻防方面的視頻

網絡安全學習路線圖

參數為upload

訪問URL：/upload/files/11.php

漏洞二、任意文件上傳

URL:/php/addscenedata.php

<?phprequire_once ('conversion.php');$arr['res'] = 0;$tmpFilePath = $_FILES['upload']['tmp_name']; if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");}if ($tmpFilePath != ""){$newFilePath = "../images/scene/" . $_FILES['upload']['name'];if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");}if(move_uploaded_file($tmpFilePath, $newFilePath)){$arr['res'] = 1;}}echo JSON($arr);?>

#漏洞三、任意文件寫入
URL:/php/uploadjson.php

<?phprequire_once ('conversion.php');$arr['res'] = 0;$tmpFilePath = $_FILES['upload']['tmp_name']; if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {$tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");}if ($tmpFilePath != ""){$newFilePath = "../images/scene/" . $_FILES['upload']['name'];if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");}if(move_uploaded_file($tmpFilePath, $newFilePath)){$arr['res'] = 1;}}echo JSON($arr);?>

漏洞四、任意文件上傳

URL:/php/addupdatefiles.php

<?php$tmpFilePath = $_FILES['upload']['tmp_name']; $tmpFilePath = mb_convert_encoding($tmpFilePath, "GBK", "UTF-8");if ($tmpFilePath != ""){$newFilePath = dirname(dirname(dirname(dirname(__FILE__))))."/upload/" . $_FILES['upload']['name'];if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN'){$newFilePath = mb_convert_encoding($newFilePath, "GBK", "UTF-8");}if(!move_uploaded_file($tmpFilePath, $newFilePath)) {echo '{"res": "1"}';} else {echo '{"res": "0"}';} } ?>

任意文件讀取

/php/getjson.php

<?phprequire_once ('conversion.php');$res = '{"res":"0"}';$postData = $_POST['jsondata']; if (isset($postData['filename'])){ $filename = $postData['filename']; // WIN$fullpath = dirname(dirname(__FILE__))."\\lan\\".$filename; // Linuxif (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {$fullpath = dirname(dirname(__FILE__))."/lan/".$filename; }if (file_exists($fullpath)){$json_string = file_get_contents($fullpath);$res = '{"res":"1","data":'.$json_string.'}';}}echo $res; ?>

最重要的login.php 來了

最重要的login.php 來了<?phprequire_once ('conversion.php');$postData = $_POST['jsondata'];$arr['res'] = 0;if (isset($postData['username'])) {$user = $postData['username'];$pass = $postData['password'];if ('800823' == $pass && 'administrator' == $user){$arr['username'] = 'administrator';$arr['password'] = '800823';$arr['display'] = 'administrator';$arr['modules'] = '1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1';$arr['rights'] = '*';$arr['serverrights'] = '*';$arr['isadmin'] = '1';$arr['bindterminals'] = '';$arr['res'] = 1;$arr['mainurl'] = 'main';$arr['token'] = 'SESSION';echo JSON($arr);}else{$result = UdpSendAndRecvJson($postData, "login");echo $result;}} ?>

最后
有在學習網絡安全的可以點擊查看【網絡安全學習資料·攻略】

總結

以上是生活随笔為你收集整理的某IP设备代码审计的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。