Cyask system background Getshell vulnerability prevention

Cyask writes the parameter settings to the cache. When writing the cache, it extracts unfiltered data from the database and writes the data directly to the file. As a result, webshell can be used.

Analysis:
Admin/setting_manage.php file: <? Php admin_footer (); exit ();} elseif ($ admin_action = setting_edit) {if (isset ($ _ POST [edit_submit]) {$ query = $ dblink-> query ("SELECT * FROM {$ tablepre} set where t in (str, num )"); while ($ row = $ dblink-> fetch_array ($ query) {$ dblink-> query ("UPDATE {$ tablepre} set set v = ". $ _ POST [$ row [K]. "where k = ". $ row [K]. ""); // write the settings to the database, not filtered by unknownman} create_cache (variable); // write cache by unknownman header ("location: ad Min. php? Admin_action = var_setting ");} else {$ query = $ dblink-> query (" SELECT * FROM {$ tablepre} set where t in (str, num) order by T "); admin_header ();?> The create_cache function is located in include/global. func. php: function create_cache ($ cachename) {global $ dblink, $ tablepre; $ prefix = cache _; $ cachedata =; if ($ cachename = variable) {$ query = $ dblink-> query ("SELECT * FROM {$ tablepre} set where t in (str, num )"); // retrieve the settings from the database by unknownman $ cachedata. = ""; while ($ row = $ dblink-> fetch_array ($ query) {if ($ row [T] = str) {$ cachedata. = "$ ". $ row [K]. "= ". $ row [V]. ";"; // the string is not filtered by un Knownman} elseif ($ row [T] = num) {$ cachedata. = "$ ". $ row [K]. "= ". intval ($ row [V]). ";"; // simple numeric parameter filtering by unknownman }}elseif ($ cachename = style) {$ query = $ dblink-> query ("SELECT templateid, name, tpldir, styledir FROM {$ tablepre} tpl order by templateid "); $ num = $ dblink-> num_rows ($ query); $ cachedata. = "$ _ DCACHE [style] = array (". ""; $ I = 1; while ($ row = $ dblink-> fetch_array ($ query) {$ cachedata. = $ row [templa Teid]. "=> array (". ""; foreach ($ row as $ key => $ val) {// $ val = addslashes ($ val); if ($ key = styledir) $ cachedata. = "$ key => $ val ". ""; else $ cachedata. = "$ key => $ val ,". "";} if ($ I = $ num) $ cachedata. = ")"; else $ cachedata. = "),"; $ I ++;} $ cachedata. = ");" ;}else {exit (cachename error !);} $ Dir = CYASK_ROOT ../askdata/cache/; if (! Is_dir ($ dir) {@ mkdir ($ dir, 0777);} if (@ $ fp = fopen ("$ dir $ prefix $ cachename. php ", w) // write the php file by unknownman {fwrite ($ fp," <? Php // Cyask cache file // Created on ". date (" Y-m-d H: I: s ")." $ cachedata?> "); // The php file itself is not set securely. Anyone Can access by unknownman fclose ($ fp);} else {exit (Can not write to cache files, please check directory. /askdata/and. /askdata/cache /.);}}