Foreground SQL Time Blind
At the front desk work rating
Lib\home\action/commaction. class. php
Line 56th
$ting _id $_get ["id"];
Line 133th
$ting _gold $mod->where ("ting_id= '$ting _id'")->getfield ("Ting_gold");
resulting in a time blind due to ambiguous echoes
Backstage Getshell
Background attachment settings
Fuzz Process input PHP is filtered to empty so phphpp will become PHP after submission
Track to \lib\admin\action\adminaction.class.php
$config Trim (str_replace(arraystrtolower($config["Upload_class"]), ",");
Grab the bag, track it, find the same action.
$upload _class Str_replace (arraystrtolower(C ("Upload_class")); Var_dump (strtolower(C ("Upload_class")));
The place of the attachment configuration is replaced once and then written into the config.php here from the config.php to be read out of the time to replace it, so in the place of the attachment set up a plan to construct a two-time replacement is the PHP suffix
I'm using ptxtptxthtxtptxthtxtp here.
Replacement is pphphp
Replacement twice is PHP
Delete any files in the background
Where template files are managed and where the database is restored
Public functiondel () {$id= Admin_gxl_url_repalce (Str_replace(‘*‘,‘.‘,Trim($_get[' ID ']))); //Die ($id); if(!substr(sprintf("%o",fileperms($id)),-3)){ $this->error (' No delete permission! ‘); } @unlink($id); if(!Empty($_session[' Template_jumpurl '])) { $this->assign ("Jumpurl",$_session[' Template_jumpurl ']); }Else{ $this->assign ("Jumpurl", '? S=admin/template/show ')); } $this->success (' Delete file succeeded! ‘); }
No filtering can delete any file
Download any File
Get/index.php?s=admin-data-down-id-20170805_2978_1.sql http/1.1
Public functionDown () {$filepath= Data_path. ' _bak/'.$_get[' ID ']; //Die ($filepath); if(file_exists($filepath)) { $filename=$filename?$filename:basename($filepath); $filetype=Trim(substr(STRRCHR($filename, '. '), 1)); $filesize=filesize($filepath); Header(' cache-control:max-age=31536000 '); Header(' Expires: '.gmdate(' d, D M Y h:i:s ', Time() + 31536000). ' GMT '); Header(' Content-encoding:none '); Header(' Content-length: '.$filesize); Header(' Content-disposition:attachment; Filename= '.$filename); Header(' Content-type: '.$filetype); ReadFile($filepath); Exit; }Else{ $this->error (' Error, no sub-volume file found! ‘); } }
There is still no filter structure when using \ \. \\.. \ \ Cross Directory
Arbitrary file read
Background to add ads to the place to grab the bag
//Post-Operation Public function_after_insert () {$array=$_post; Var_dump($array); //Die ('./'. C (' Admin_ads_file '). ' /'. $array [' Ads_name ']. '. JS ');Write_file ('./'. C (' Admin_ads_file '). ' /‘.$array[' Ads_name ']. JS ', T2js (stripslashes(Trim($array[' Ads_content '])))); $this->success (' Add AD bit success! ‘); }
There is no filter to write JS files in the Template\gxlcms directory
Edit point edits where template management is available
Public functionAdd () {$filename= Admin_gxl_url_repalce (Str_replace(‘*‘,‘.‘,Trim($_get[' ID ']))); if(Empty($filename)) { $this->error (' template name cannot be empty! ‘); } $content= Read_file ($filename); $this->assign (' filename ',$filename); $this->assign (' content ',Htmlspecialchars($content));
You can jump to the directory to read any file, but it's a pity that he's dead. Only the files in the whitelist can be modified so they can't be getshell.
Attempt to generate tt/2.js and then Access TT cannot be directory traversal
Download any File
This is the same as the reason for the formation of the above, no filtration.
Gxlcms time Blind + background Any file delete read download +getshell