随缘找了一个cms,那就开干呗
image.png
几乎所有文件都包含了do/global.php,而global.php中包含有/inc/common.inc.php。
# common.inc.php
$_POST=Add_S($_POST);
$_GET=Add_S($_GET);
$_COOKIE=Add_S($_COOKIE);
function Add_S($array){
foreach($array as $key=>$value){
if(!is_array($value)){
$value=str_replace("&#x","& # x",$value); //过滤一些不安全字符
$value=preg_replace("/eval/i","eva l",$value); //过滤不安全函数
!get_magic_quotes_gpc() && $value=addslashes($value);
$array[$key]=$value;
}else{
$array[$key]=Add_S($array[$key]);
}
}
return $array;
}
if(!ini_get('register_globals')){
@extract($_FILES,EXTR_SKIP);
}
foreach($_COOKIE AS $_key=>$_value){
unset($$_key);
}
foreach($_POST AS $_key=>$_value){
!ereg("^\\_[A-Z]+",$_key) && $$_key=$_POST[$_key];
}
foreach($_GET AS $_key=>$_value){
!ereg("^\\_[A-Z]+",$_key) && $$_key=$_GET[$_key];
}
这里对get、post的输入都做了转义,也实现了全局注册(这里很大隐患,待会见)
在/member/userinfo.php
function filtrate($msg){
//$msg = str_replace('&','&',$msg);
//$msg = str_replace(' ',' ',$msg);
$msg = str_replace('"','"',$msg);
$msg = str_replace("'",''',$msg);
$msg = str_replace("<","<",$msg);
$msg = str_replace(">",">",$msg);
$msg = str_replace("\\t"," ",$msg);
//$msg = str_replace("\\r","",$msg);
$msg = str_replace(" "," ",$msg);
return $msg;
}
这里传入的参数经过了filtrate过滤,将一些特殊字符转化为字符实体,看起来防御很稳。
function replace_bad_word($str){
global $Limitword;
@include_once(ROOT_PATH."data/limitword.php");
foreach( $Limitword AS $old=>$new){
strlen($old)>2 && $str=str_replace($old,trim($new),$str);
}
return $str;
}
# data/limitword.php
<?php
$Limitword['造反']='造**';
$Limitword['法轮功']='法**功';
经过filtrate过滤之后还替换了一些“不健康”的字,不健康的字就两个(并没有禁x赌毒),这里的str_replace()里面的两个变量是我们可控的,因为实现了全局注册。
//修改用户任意信息
function edit_user($array) {
if(!$array[username]){
$rs = $this->get_info($array[uid]);
if(!$rs[username]){
return ;
}
$array[username] = $rs[username];
}
$this->edit_passport($array);
$fieldArry=table_field("{$this->pre}memberdata");
foreach($array AS $key=>$value){
if($key=='uid'||$key=='password'||$key=='username'||!in_array($key,$fieldArry)){
continue;
}
$sqlDB[]="`{$key}`='$value'";
}
if($sqlDB){
$this->db->query("UPDATE {$this->pre}memberdata SET ".implode(",",$sqlDB)." WHERE username='$array[username]'");
}
}
//仅修改通行证邮箱与密码
function edit_passport($array) {
global $webdb;
if( $webdb[emailOnly]&&$array[email] ){
$r=$this->check_emailexists($array[email]);
if($r && $r[username]!=$array[username]){
showerr("当前邮箱存在了,请更换一个!");
}
}
if(eregi("^pwbbs",$webdb[passport_type])){
if($array[password]){
$array[password] = md5($array[password]);
$sql[]="password='$array[password]'";
}
if($array[email]){
$sql[]="email='$array[email]'";
}
if($sql){
$this->db->query("UPDATE {$webdb[passport_pre]}members SET ".implode(",",$sql)." WHERE username='$array[username]' ");
return 1;
}
}elseif(defined("UC_CONNECT")){
$rs = uc_user_edit($array[username] , '' , $array[password] , $array[email] , 1 );
return $rs;
}else{
if($array[password]){
$array[password] = md5($array[password]);
$this->db->query("UPDATE {$this->pre}members SET password='$array[password]' WHERE username='$array[username]' ");
return 1;
}
}
}