https://qiqingshiwo.github.io/2020/03/16/DolphinPHP 全版本后台代码执行漏洞/
修改日志规则
随便传一个图片
在附件管理点启用抓包
whoami就是你想要执行的命令
漏洞代码如下,往上找就行
function action_log($action = null, $model = null, $record_id = '', $user_id = null, $details = '')
{
...
// 查询行为,判断是否执行
$action_info = model('admin/action')->where('module', $module)->getByName($action);
...
// 解析日志规则,生成日志备注
if(!empty($action_info['log'])){
if(preg_match_all('/\\[(\\S+?)\\]/', $action_info['log'], $match)){
$log = [
'user' => $user_id,
'record' => $record_id,
'model' => $model,
'time' => request()->time(),
'data' => ['user' => $user_id, 'model' => $model, 'record' => $record_id, 'time' => request()->time()],
'details' => $details
];
$replace = [];
foreach ($match[1] as $value){
$param = explode('|', $value);
if(isset($param[1])){
$replace[] = call_user_func($param[1], $log[$param[0]]);
}else{
$replace[] = $log[$param[0]];
}
}
...
}