OSA运维管理系统前台GETSHELL

这个系统外部应该用的比较少, 一次在某内网碰到了就读了下 废话不多说了 [php] /controllers/maintain.php (221) : public function saveconfig(){ $mon_detail = $this->model->getDevinfoByid($_GET['id']); $data['ip']=$ip=$mon_detail[0]['oIp']; if(isset($_POST['ctext']) && isset($_POST['cfilename'])){ $sendstr = 'saveconfigfile'; $cname = $_POST['cfilename']; $avgstr = "{\"$sendstr\":\"$cname\"}"; file_put_contents($cname,$_POST['ctext']); //你懂 逗比写法.. $r_list = osa_system_rum_cmd($ip,$avgstr); //省略................. } } } [/php] 到这里你们以为就可以getshell了吗? 你们也太天真了! 我都看不过眼了 全局一开始就会过滤掉尖括号, 看代码: [php] lib/osa_security.inc.php (16) : foreach ($_POST as $post_key=>$post_var) { if (is_numeric($post_var)) { $post[$post_key] = get_int($post_var); //是数字不处理 } else if(is_string($post_var)){ $post[$post_key] = get_str($post_var); //是字符就处理你! }else if(is_array($post_var)){ //是数组也不处理 $post[$post_key] = $post_var; } } //$_POST = ($_GET['menu'] == 'serverconfig') ? $_POST : $post; $_POST = $post ; function get_int($number) { //return intval($number); return $number; } function get_str($string) { //return htmldecode(addslashes($string)); if(get_magic_quotes_gpc() == 0){ $string = addslashes($string); } return htmlspecialchars($string); } function htmldecode($str) { if(empty($str)) return; if($str=="") return $str; //$str=htmlspecialchars($str); $str=str_replace("&",chr(34),$str); $str=str_replace(">",">",$str); $str=str_replace("<","<",$str); $str=str_replace("&","&",$str); $str=str_replace(" ",chr(32),$str); $str=str_replace(" ",chr(9),$str); $str=str_replace("'",chr(39),$str); $str=str_replace("",chr(13),$str); $str=str_replace("''","'",$str); $str=str_replace("select","select",$str); $str=str_replace("join","join",$str); $str=str_replace("union","union",$str); $str=str_replace("where","where",$str); $str=str_replace("insert","insert",$str); $str=str_replace("delete","delete",$str); $str=str_replace("update","update",$str); $str=str_replace("like","like",$str); $str=str_replace("drop","drop",$str); $str=str_replace("create","create",$str); $str=str_replace("modify","modify",$str); $str=str_replace("rename","rename",$str); $str=str_replace("alter","alter",$str); $str=str_replace("cas","cast",$str); $farr = array( "/\s+/" , //过滤多余的空白 "/<(\/?)(img|script|i?frame|style|html|body|title|link|meta|alert|window\?|\%)([^>]*?)>/isU" , //过滤