No restrictions on getshell at the front end of the latest version of Feifei Film

No restrictions on getshell at the front end of the latest version of Feifei Film

No restrictions on getshell v2.9

Any file contains:



Demo site test:


 

Code Analysis: myaction. class. php

<?phpclass MyAction extends HomeAction{    public function show(){$id = !empty($_GET['id'])?$_GET['id']:'new';echo $id;echo '1111111111111111111111111111';$this->display('my_'.trim($id));echo $id;echo '11111111111111111111111';}}?>

$ Id variable comes from get and is then passed to the display function. The first parameter of display is the Template Name.



Trace the display function. There are many procedures. Finally, the fetch function is passed as follows: view. class. php
 

Public function fetch ($ templateFile = '', $ charset ='', $ contentType = '', $ display = false) {// die ('errorcode '); echo 'fetch'; G ('_ viewstarttime'); // use the null parameter as the Template Name to directly return if (null = $ templateFile) return without any output; // webpage character encoding if (empty ($ charset) $ charset = C ('default _ charset'); if (empty ($ contentType )) $ contentType = C ('tmpl _ CONTENT_TYPE '); header ("Content-Type :". $ contentType. "; charset = ". $ charset); header ("Cache-c Ontrol: private "); // supports page Jump header (" X-Powered-By: ThinkPHP ". THINK_VERSION); // page cache ob_start (); ob_implicit_flush (0); // automatically locates the template file echo $ templateFile; // edit by test // die (); echo file_exists_case ($ templateFile); if (! File_exists_case ($ templateFile) echo '000000'; // echo $ templateFile. 'code'; // edit by test $ templateFile = $ this-> parseTemplateFile ($ templateFile); $ engine = strtolower (C ('tmpl _ ENGINE_TYPE ')); echo $ engine; if ('php' ==$ engine) {// The template array variable is decomposed into an independent variable extract ($ this-> tVar, EXTR_OVERWRITE ); // directly load the PHP template include $ templateFile;} elseif ('think' ===$ engine & $ this-> checkCache ($ templateFile )) {// If the Think template engine is used and the cache effectively breaks down variables and loads the template cache extract ($ this-> tVar, EXTR_OVERWRITE ); // load the template CACHE file // include C ('cache _ path '). md5 ($ templateFile ). C ('tmpl _ CACHFILE_SUFFIX ');} else {// The Template file needs to be re-compiled to support third-party Template engines // call the Template engine for parsing and outputting $ className = 'template '. ucwords ($ engine); require_cache (THINK_PATH. '/Lib/Think/Util/Template /'. $ className. '. class. php '); $ tpl = new $ className; $ tpl-> fetch ($ templateFile, $ this-> tVar, $ charset);} $ this-> templateFile = $ templateFile; // get and clear the cache $ content = ob_get_clean (); // Replace the template content with $ content = $ this-> templateContentReplace ($ content ); // layout template parsing $ content = $ this-> layout ($ content, $ charset, $ contentType); // output template file return $ this-> output ($ content, $ display );}/**

We need to continue with the fetch function of the template class here.

// The Template file needs to be re-compiled to support third-party Template engines // call the Template engine to parse and output $ className = 'template '. ucwords ($ engine); require_cache (THINK_PATH. '/Lib/Think/Util/Template /'. $ className. '. class. php '); $ tpl = new $ className; $ tpl-> fetch ($ templateFile, $ this-> tVar, $ charset );

The fetch function of the template class finally calls the load function, which contains the $ id variable found at the beginning.

Load function, directly include.
 

Public function load ($ templateFile, $ templateVar, $ charset) {$ this-> tVar = $ templateVar; $ templateCacheFile = $ this-> loadTemplate ($ templateFile ); // The template array variables are decomposed into independent variables extract ($ templateVar, EXTR_OVERWRITE); // load the template cache file include $ templateCacheFile ;}

Solution:

Filter