Gxlcms time Blind + background Any file delete read download +getshell

Foreground SQL Time Blind

At the front desk work rating

Lib\home\action/commaction. class. php

Line 56th

        $ting _id $_get ["id"];

Line 133th

            $ting _gold $mod->where ("ting_id= '$ting _id'")->getfield ("Ting_gold");

resulting in a time blind due to ambiguous echoes

Backstage Getshell

Background attachment settings

Fuzz Process input PHP is filtered to empty so phphpp will become PHP after submission

Track to \lib\admin\action\adminaction.class.php

$config Trim (str_replace(arraystrtolower($config["Upload_class"]), ",");

Grab the bag, track it, find the same action.

$upload _class Str_replace (arraystrtolower(C ("Upload_class"));         Var_dump (strtolower(C ("Upload_class")));

The place of the attachment configuration is replaced once and then written into the config.php here from the config.php to be read out of the time to replace it, so in the place of the attachment set up a plan to construct a two-time replacement is the PHP suffix

I'm using ptxtptxthtxtptxthtxtp here.

Replacement is pphphp

Replacement twice is PHP

Delete any files in the background

Where template files are managed and where the database is restored

    Public functiondel () {$id= Admin_gxl_url_repalce (Str_replace(‘*‘,‘.‘,Trim($_get[' ID ']))); //Die ($id);        if(!substr(sprintf("%o",fileperms($id)),-3)){            $this->error (' No delete permission! ‘); }        @unlink($id); if(!Empty($_session[' Template_jumpurl '])) {            $this->assign ("Jumpurl",$_session[' Template_jumpurl ']); }Else{            $this->assign ("Jumpurl", '? S=admin/template/show ')); }        $this->success (' Delete file succeeded! ‘); }

No filtering can delete any file

Download any File

Get/index.php?s=admin-data-down-id-20170805_2978_1.sql http/1.1

     Public functionDown () {$filepath= Data_path. ' _bak/'.$_get[' ID ']; //Die ($filepath);        if(file_exists($filepath)) {            $filename=$filename?$filename:basename($filepath); $filetype=Trim(substr(STRRCHR($filename, '. '), 1)); $filesize=filesize($filepath); Header(' cache-control:max-age=31536000 '); Header(' Expires: '.gmdate(' d, D M Y h:i:s ', Time() + 31536000). ' GMT '); Header(' Content-encoding:none '); Header(' Content-length: '.$filesize); Header(' Content-disposition:attachment; Filename= '.$filename); Header(' Content-type: '.$filetype); ReadFile($filepath); Exit; }Else{            $this->error (' Error, no sub-volume file found! ‘); }    }

There is still no filter structure when using \ \. \\.. \ \ Cross Directory

Arbitrary file read

Background to add ads to the place to grab the bag

    //Post-Operation     Public function_after_insert () {$array=$_post; Var_dump($array); //Die ('./'. C (' Admin_ads_file '). ' /'. $array [' Ads_name ']. '. JS ');Write_file ('./'. C (' Admin_ads_file '). ' /‘.$array[' Ads_name ']. JS ', T2js (stripslashes(Trim($array[' Ads_content '])))); $this->success (' Add AD bit success! ‘); }

There is no filter to write JS files in the Template\gxlcms directory

Edit point edits where template management is available

     Public functionAdd () {$filename= Admin_gxl_url_repalce (Str_replace(‘*‘,‘.‘,Trim($_get[' ID ']))); if(Empty($filename)) {            $this->error (' template name cannot be empty! ‘); }        $content= Read_file ($filename); $this->assign (' filename ',$filename); $this->assign (' content ',Htmlspecialchars($content)); 

You can jump to the directory to read any file, but it's a pity that he's dead. Only the files in the whitelist can be modified so they can't be getshell.

Attempt to generate tt/2.js and then Access TT cannot be directory traversal

Download any File

This is the same as the reason for the formation of the above, no filtration.

Gxlcms time Blind + background Any file delete read download +getshell