cmseasy xss+csrf getshell

lib/tool/front_class.php [php] function __construct() { if(preg_match('/(\'|")/', $_POST['username']) || preg_match('/(\'|")/', $_GET['username']) || preg_match('/(\'|")/', $_COOKIE['login_username'])){ exit('非法参数'); ...... if (!MAGIC_QUOTES_GPC) { $_GET = daddslashes($_GET); $_POST = daddslashes($_POST); $_COOKIE = daddslashes($_COOKIE); } //GPC=OFF才过滤跨站代码,为ON时不过滤. $dfile = htmlspecialchars($_GET['dfile']); foreach ($_GET as $key=>$value) { unset($_GET[$key]); if ($key == 'host'||$key == 'ftpip'||$key == 'request'||$key == 'notify_id'||$key == 'real_name') { $_GET[$key]=$value; continue; } $key=preg_replace('/[^\w-].*/','',$key); if ($key == 'tag'||$key == 'keyword') { $value=strip_tags(urldecode($value)); $value=str_replace(' ','+',$value); if(preg_match('/union/i',$value) || preg_match('/"/i',$value) ||preg_match('/\'/i',$value)){ exit('非法参数'); } } else $value=preg_replace('/[^\w-].*/','',$value); $_GET[$key]=$value; } self::$get=$_GET; self::$post=$_POST; //GET过滤的比较多,POST紧紧就过滤了单双引号。 self::$get['dfile'] = $dfile; ...... } [/php] lib/default/archive_act.php [php] function orders_action() { $this->view->aid = trim(front::get('aid')); if (front::post('submit')) { $this->orders = new orders(); $row = $this->orders->getrow("","adddate DESC"); //var_dump(time()); if($row['adddate'] && time() - $row['adddate'] <= intval(config::get('order_time'))){ alerterror('操作频繁,请稍后再试'); return; } if (front::$post['telphone'] == '') { alerterror('联系电话为必填!'); return; } front::$post['mid'] = $this->view->user['userid'] ? $this->view->user['userid'] : 0; front::$post['adddate'] = time(); front::$post['ip'] = front::ip(); if (isset(front::$post['aid'])) { $aidarr = front::$post['aid']; unset(front::$post['aid']); foreach ($aidarr as $val) { front::$post['aid'].=$val . ','; front::$post['pnums'].=front::$post['thisnum'][$val] . ','; } } else { front::$post['aid'] = $this->view->aid; } if (!isset(front::$post['logisticsid'])) front::$post['logisticsid'] = 0; front::$post['oid'] = date('YmdHis') . '-' . front::$post['logisticsid'] . '-' . front::$post['mid'] . '-' . front::$post['payname']; $insert = $this->orders->rec_insert(front::$post); //没过滤就直接插入数据库了。 ...... } [/php] 访问http://localhost/index.php?case=archive&act=orders&aid=1 在单位名称里插入跨站代码 [php]