【图床】西华大学校长信箱

偶然一天，网上冲浪的时候找到了个西华大学校长信箱的网页https://ai.xhu.edu.cn/EIP/nonlogin/cooperative/openCooperative.htm?flowId=4af31ed47d313b03017d35f857e323f6

研究了下附件上传的接口，支持上传png,jpg,jpeg,doc,docx,wps,wpt,xls,xlsx,ppt,pptx,pdf,zip,rar,7z,xml类型的文件，文件大小最大为50MB
上传接口在https://ai.xhu.edu.cn/EIP/fileupload/uploadfile.htm;jsessionid=adb0288e-f9a0-4a73-be7e-a89a76b39259?thumbnail=true&thumbnailSpecies=gif,png,jpg,jpeg,jpe,bmp,dib,jfif,tif,tiff&savePath=fileupload/files/
其中jsessionid需要生成

判断jsessionid是否要生成的条件为User-Agent，可以通过伪造生成不同的UA上传文件，以免被BAN
然后上传到接口即可

上传参数：
select => null
select2 => null
access2008_box_info_max => 1
access2008_box_info_upload => 2
access2008_box_info_over => 0
Filedata => 图片

查询字符串参数：
thumbnail => true
thumbnailSpecies => gif,png,jpg,jpeg,jpe,bmp,dib,jfif,tif,tiff
savePath => fileupload/files/

<?php
session_start();

if (!isset($_SESSION['jsessionid'])) {
    $_SESSION['jsessionid'] = [
        'id' => '',
        'count' => 0
    ];
}

function getJSessionId() {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "https://ai.xhu.edu.cn/EIP/nonlogin/cooperative/openCooperative.htm?flowId=4af31ed47d313b03017d35f857e323f6");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $randomUserAgent = generateUserAgent('desktop');
    curl_setopt($ch, CURLOPT_USERAGENT, $randomUserAgent);
    curl_setopt($ch, CURLOPT_HEADER, true);

    $response = curl_exec($ch);

    if ($response === false) {
        echo 'cURL Error: ' . curl_error($ch);
        return null;
    } else {
        $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
        $header = substr($response, 0, $header_size);

        if (preg_match('/^Set-Cookie:\s*([^;]*)/mi', $header, $matches)) {
            $cookie = $matches[1];
            if (strpos($cookie, 'JSESSIONID') !== false) {
                $jsessionid = explode('=', $cookie)[1];
                return $jsessionid;
            }
        }
    }
    return null;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['file'])) {

    if ($_SESSION['jsessionid']['count'] >= 10 || empty($_SESSION['jsessionid']['id'])) {
        $_SESSION['jsessionid']['id'] = getJSessionId();
        $_SESSION['jsessionid']['count'] = 0;
    }
    
    $sessionId = $_SESSION['jsessionid']['id'];
    
    if (empty($sessionId)) {
        echo '无法获取 JSESSIONID';
        exit;
    }

    $url = 'https://ai.xhu.edu.cn/EIP/fileupload/uploadfile.htm';
    $headers = [
        'Accept: */*',
        'Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
        'Connection: keep-alive',
        'Cookie: Secure; JSESSIONID=' . $sessionId . '; Secure',
        'Host: ai.xhu.edu.cn',
        'Origin: https://ai.xhu.edu.cn',
        'Referer: https://ai.xhu.edu.cn/EIP/fileupload/uploadwindow/open.htm',
        'Sec-Fetch-Dest: empty',
        'Sec-Fetch-Mode: cors',
        'Sec-Fetch-Site: same-origin',
        'User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1 Edg/130.0.0.0',
    ];
    
    $postFields = [
        'select' => '',
        'select2' => '',
        'access2008_box_info_max' => 1,
        'access2008_box_info_upload' => 2,
        'access2008_box_info_over' => 0,
        'Filedata' => new CURLFile($_FILES['file']['tmp_name'], $_FILES['file']['type'], $_FILES['file']['name']),
    ];

    $query = http_build_query([
        'thumbnail' => 'true',
        'thumbnailSpecies' => 'gif,png,jpg,jpeg,jpe,bmp,dib,jfif,tif,tiff',
        'savePath' => 'fileupload/files/',
    ]);

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url . '?' . $query);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

    $response = curl_exec($ch);
    if (curl_errno($ch)) {
        echo 'Error:' . curl_error($ch);
    } else {
        $json_string = urldecode($response);
        $data = json_decode($json_string, true);
        echo 'https://ai.xhu.edu.cn/EIP/' . $data['downloadUrl'];
        $_SESSION['jsessionid']['count']++;
    }
    curl_close($ch);
} else {
    echo 'Please upload a file.';
}

function generateUserAgent($deviceType = 'desktop') {
    $desktopBrowsers = [
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%d.%d.%d.%d Safari/537.36",
        "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; AS; rv:11.0) like Gecko",
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/%d.%d Safari/605.1.15",
        "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:%d.%d) Gecko/20100101 Firefox/%d.%d",
        "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%d.%d.%d.%d Safari/537.36"
    ];

    $mobileBrowsers = [
        "Mozilla/5.0 (Linux; Android %d.%d; Nexus 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%d.%d.%d.%d Mobile Safari/537.36",
        "Mozilla/5.0 (iPhone; CPU iPhone OS %d_%d like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/%d.%d Mobile/15E148 Safari/604.1",
        "Mozilla/5.0 (Linux; Android %d.%d; Galaxy S20) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%d.%d.%d.%d Mobile Safari/537.36",
        "Mozilla/5.0 (Linux; Android %d.%d; Pixel 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%d.%d.%d.%d Mobile Safari/537.36",
    ];

    $majorVersion = rand(70, 100);
    $minorVersion = rand(0, 9);
    $buildVersion = rand(1000, 9999);

    if ($deviceType === 'mobile') {
        $userAgent = $mobileBrowsers[array_rand($mobileBrowsers)];
    } else {
        $userAgent = $desktopBrowsers[array_rand($desktopBrowsers)];
    }

    return sprintf($userAgent, $majorVersion, $minorVersion, $majorVersion, $minorVersion, $buildVersion);
}
?>

https://ai.xhu.edu.cn/EIP/fileupload/downloadfile.htm?id=02675a81c5e741fea33b72bbd6ae1725.jpg&path=fileupload.files.&name=bIJTVaR3MLPzcZ7.jpg