.用友ICC网站客服系统远程代码执行漏洞EXP

admin

<?php
6 h5 r$ A2 ]3 |/**
" @# j$ S) T# X * uploadFlash.php
* Flash文件上传.
4 q6 \" e6 S- J7 U9 o9 w% } */
require_once('../global.inc.php');

; X' ^* z; x; h* \//operateId=1 上传,operateId=2 获取地址.
$operateId = intval($_REQUEST['operateId']);
if(empty($operateId)) exit;
) H# m1 R3 D- Z2 v5 }5 |7 T$ Z. }
if($operateId == 1){
$date = date("Ymd");
$dest = $CONFIG->basePath."data/files/".$date."/";
$COMMON->createDir($dest);
! v, B) f4 U# Y! N% S& C //if (!is_dir($dest)) mkdir($dest, 0777);
4 g4 c5 @! e& w9 \) H5 y- c
1 O1 ^7 q. \% }2 | $nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));
' X& J! ]* s! a8 f4 I' R' U
+ ]0 A6 ]- L' f, A3 y2 _( k; L $allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');

' y: p' }. f$ w' D) J6 H+ [ if(!in_array($nameExt, $allowedType)){
+ A  e+ \+ H4 i! ]0 @  $msg = 0;
}
if(empty($msg)){
  $filename = getmicrotime().'.'.$nameExt;
/ m7 w0 _+ y- \4 P1 @1 Q  $file_url = urlencode($CONFIG->baseUrl.'data/files/'.$date."/".$filename);
  
, S  c  e9 i: i1 T& x  $filename = $dest.$filename;
  if(empty($_FILES['Filedata']['error'])){
7 ^) K/ D. s( X6 k. }; H8 ]   move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);
" o# o$ x: ^) k  }
. O) k" j/ b" ?) Y+ f/ Z  
) J$ T" `4 B2 I, o  if (file_exists($filename)){
   //$msg = 1;
: o8 f% ]0 g& g/ C' e4 G   $msg = $file_url;
   @chmod($filename, 0444);
( g9 c2 _$ r3 o, F2 L8 p  }else{
3 d7 X9 l) i1 J- U# d9 s& ^   $msg = 0;
  }
}
$outMsg = "fileUrl=".$msg;
4 y# g. X/ E! N+ O4 b $_SESSION["eoutmsg"] = $outMsg;
* u- F6 H% c3 I, F) V' k5 E9 b exit;
: ^" s) ^+ t- @}else if($operateId == 2){
, X- \; o, G6 Y" `8 t! s0 K" B $outMsg = $_SESSION["eoutmsg"];
if(!empty($outMsg)){
  session_unregister("eoutmsg");
  echo '&'.$outMsg;
  exit;
5 F9 D0 s5 A: R' V }else{
  echo "&fileUrl=0";
  exit;
}
}

function getmicrotime(){
* C& j5 }- u0 O    list($usec, $sec) = explode(" ",microtime());
+ p; k) C5 r/ d# v    return ((float)$usec + (float)$sec);
}

?>
& M6 r4 Y7 N$ C! _4 g9 l