作者:心灵

    也是那句,最后能拿到WEBSHELL都统称0DAY。o(∩_∩)o 哈哈。

    经典对白看代码,首先是本地包含。

ajax.php:

require_once MOD_PATH.$this->SetEvent($config['default_module']).'.mod.php';
//再看SetEvent 
function SetEvent()
        {
                $modss = array('check'=>1,'getseller'=>1,'member'=>1);       
                $mod = (isset($_POST['mod']) ? $_POST['mod'] : $_GET['mod']);
                if(!isset($modss)) {  //程序员思想混乱了.估计老板没发工资
                        include(INCLUDE_PATH.'error_404.php');
                        exit;
                }
                $_POST['mod'] = $_GET['mod'] = $mod;                       
                Return $mod;
        }

    那么 mod.php 结尾的那个能用呢?

    以下是上传漏洞。

    看 modules\admin\tttuangou.mod.php  //后台文件!

modules\admin\tttuangou.mod.php:

class ModuleObject extends MasterObject{
        var $city;
        function ModuleObject($config){
                $this->MasterObject($config);                Load::logic('product');
                $this->ProductLogic = new ProductLogic();
                Load::logic('pay');
                $this->PayLogic = new PayLogic();
                Load::logic('me');
                $this->MeLogic = new MeLogic();
                Load::logic('order');
                $this->OrderLogic = new OrderLogic();
                $this -> config =$config;
                $this->ID = (int) ($this->Post['id'] ? $this->Post['id'] : $this->Get['id']);
                $this->Execute();
        }
        //很幸运地以上自定义函数都已经定义了
function Execute(){
        switch($this->Code){
                case 'varshow':
                        $this->Varshow();
                        break;
                case 'varedit':
//忽略一堆东西
case 'dositelogo':
        $this->doSiteLogoManager();
//再看doSiteLogoManager
function doSiteLogoManager()
        {
                //这里忽略一些没用的东西
                        $_FILES['uploads']['name'] = $FILES_O['uploads']['name'][$i];
        //继续忽略
                        $default_type=array('jpg','pic','png','jpeg','bmp','gif');                         $imgary=explode('.',$_FILES['uploads']['name']);
                        if(!in_array(strtolower($imgary[count($imgary)-1]),$default_type)){
                                $this->Messager('不允许上传的图片格式!');
                        }
//这里限制了后缀
                        $full_path = urldecode($this->Get['path']);
                        $fp_ary = explode('/', $full_path);
                        $file = $fp_ary[count($fp_ary)-1];
                        $dir = '';
                        for ($i=0;$i<count($fp_ary)-1;$i++)
                        {
                                if ($fp_ary[$i] != '.')
                                {
                                        $dir .= $fp_ary[$i].'/';
                                }
                        }   
                        $dir = './'.$dir;  //o(∩_∩)o 哈哈  悲剧 path自定义名字可以了 直接上传JPG
                        require_once LIB_PATH . 'upload.han.php';
                        $upload_handler = new UploadHandler($_FILES, $dir, 'uploads' , true);

    同时还发现2处没用的包含漏洞,modules\me.mod.php。

modules\me.mod.php:

function Readdmoney(){
        $pay_code = (isset($_POST['pay']) ? $_POST['pay'] : $_GET['pay']); //没过滤
//忽略...
        include_once('./modules/'.$pay_code.'.pay.php');

    还有 index.mod.php。

index.mod.php:

function Repay(){
        $pay_code = (isset($_POST['pay']) ? $_POST['pay'] : $_GET['pay']);  //一样没过滤
//也忽略...
        include_once('./modules/'.$pay_code.'.pay.php');

    .pay.php 只有3个在线支付文件还没什么用。

    一切GPC后的东西都是浮云,唯有超长字符截断了。