前几天90SEC群里有人说读读这套系统的代码
这几天正好在做这方面的视频,就顺手读了读
本地文件包含:
/install.php
@error_reporting(E_ALL ^ E_NOTICE);
@ini_set("display_errors",On);
@ini_set('memory_limit', '128M');
ini_set("register_globals", 0);
ini_set("magic_quotes_gpc" , 0);
set_magic_quotes_runtime(0);
define("ROOT",dirname(__FILE__).DIRECTORY_SEPARATOR);
set_include_path(ROOT.PATH_SEPARATOR.ROOT.'library'.PATH_SEPARATOR.
ROOT.'application/controllers'.PATH_SEPARATOR.
ROOT.'application/Models/'.PATH_SEPARATOR.get_include_path());
header("Content-Type:text/html;charset=gb2312");
$mod = trim($_GET['mod']) ? trim($_GET['mod']) : "setup_1"; // 首先这里接受了$mod变量
$GLOBALS['succeed'] = true;
switch($mod)
{
case "setup_4":
$error = false;
$array = null;
$array['dbhost'] = trim($_POST['dbhost']);
$array['dbname'] = trim($_POST['dbname']);
$array['dbuser'] = trim($_POST['dbuser']);
$array['dbpass'] = trim($_POST['dbpass']);
$array['tblpre'] = trim($_POST['tblpre']);
if (! ($conn = @mysql_connect($array['dbhost'],$array['dbuser'], $array['dbpass'])))
{
$error = mysql_error();
}else{
if (!mysql_query("CREATE DATABASE IF NOT EXISTS `".$array['dbname']."`"))
{
$error = "创建数据库失败!您可能没有权限!".mysql_error();
}
if ( !@mysql_select_db($array['dbname'], $conn))
{
$error.= mysql_error();
}else{
$filepath = ROOT.'config/database.inc.php';
$text =file_get_contents($filepath);
foreach ($array as $key=>$value){
$text = preg_replace("/[$]database['$key'](s+)=(.+?);/$is",
"$database['$key']$1= '".$value."';",$text);
}
$fp = fopen($filepath, "w");
if (fwrite($fp, $text)===false)
{
$error = "写入配置文件".$filepath."失败";
}
unset($text);
}
}
if ($error)
{
$mod = "setup_3";
}
$result = @mysql_query("SHOW TABLES FROM ".$array['dbname']);
while($rs = @mysql_fetch_array($result))
{
$tablearray[] = $rs[0];
}
if (is_array($tablearray)){
if (array_search($array['tblpre']."admin", $tablearray)!==false)
{
$error = "<li><font color=red>系统已经被安装过秀影vodcms系统!继续安装会清空已有数据!</font></li>";
$errorjs = "onclick="return confirm('系统已经安装过vodcms系统!继续会清空已有数据!确认继续吗?')"";
}
}
break;
case "setup_5":
$error = null;
$username = trim($_POST['username']);
$password1 = md5(strtolower(trim($_POST['password1'])));
$password2= md5(strtolower(trim($_POST['password2'])));
if ($password1 != $password2)
{
$error = "两次密码输入不一致!";
}
if ($error)
{
$mod = "setup_4";
}
break;
// 在这个地方,直接给包含进来了 使用 %00可以说是你懂我懂大家懂了
case 'succeed':
require_once("install/$mod.php");
exit;
break;
数据库覆盖安装:
case 'succeed':
require_once("install/$mod.php");
exit;
引起了我的注意
跟进install 文件看看
if (@file_exists(ROOT."cache/install.lock")==false){
require (ROOT.'library/loader.php');
require ROOT.'application/global.func.php';
include ROOT."config/database.inc.php";
include ROOT."config/license.php";
Easy_Db::Connect($database);
$DB = Easy_Db::getInstance();
$array['username'] = trim(strtolower($_GET['username']));
$array['password'] = trim(strtolower($_GET['password']));
$array['group'] = '超级管理员';
$IO = new Easy_Filesystem();
$path = str_replace(strrchr($_SERVER['PHP_SELF'],"/"),"",$_SERVER['PHP_SELF'])."/";
$text = $IO->getContent(ROOT."config/config.inc.php");
$text = preg_replace("/$config['basedir'](s+)=(.+?);/is","$config['basedir']$1= "$path";",$text);
$text = preg_replace("/$config['createuser'](s+)=(.+?);/is","$config['basedir']$1= "".$array['username']."";",$text);
$IO->wfile(ROOT."config/config.inc.php", $text);
unset($text);
if ($array['username']){
$sqlline = $IO->getContent(ROOT."install/vodcms.sql");
if (empty($sqlline))
{
$sqlline = $IO->getContent("http://www.vodcms.com/install/vodcms.txt");
}
runquery($sqlline);
$fp = @fopen(ROOT.'config/install.lock', 'w');
@fwrite($fp, 'vodcms_install_6.0.3');
@fclose($fp);
@unlink(ROOT.'install.php');
$DB->insert($database['tblpre'].'admin', $array);
echo '建立管理员成功';
}else{
exit('请填写用户名以及登陆密码');
}
}else{?>
有人觉得,这代码写的没错啊。很好很强大啊
好吧。其实我也觉得。
但是仔细看看他写的代码,if里。 ROOT 这个常量压根就没定义啊!
没定义就相当于直接报错了,但是他屏蔽了。好吧。这个if 的逻辑永远都等于“真”
所以说才会执行“真”的代码段。也就是
require (ROOT.'library/loader.php');
require ROOT.'application/global.func.php';
include ROOT."config/database.inc.php";
include ROOT."config/license.php";
Easy_Db::Connect($database);
$DB = Easy_Db::getInstance();
$array['username'] = trim(strtolower($_GET['username']));
$array['password'] = trim(strtolower($_GET['password']));
$array['group'] = '超级管理员';
$IO = new Easy_Filesystem();
$path = str_replace(strrchr($_SERVER['PHP_SELF'],"/"),"",$_SERVER['PHP_SELF'])."/";
$text = $IO->getContent(ROOT."config/config.inc.php");
$text = preg_replace("/$config['basedir'](s+)=(.+?);/is","$config['basedir']$1= "$path";",$text);
$text = preg_replace("/$config['createuser'](s+)=(.+?);/is","$config['basedir']$1= "".$array['username']."";",$text);
$IO->wfile(ROOT."config/config.inc.php", $text);
unset($text);
if ($array['username']){
$sqlline = $IO->getContent(ROOT."install/vodcms.sql");
if (empty($sqlline))
{
$sqlline = $IO->getContent("http://www.vodcms.com/install/vodcms.txt");
}
runquery($sqlline);
$fp = @fopen(ROOT.'config/install.lock', 'w');
@fwrite($fp, 'vodcms_install_6.0.3');
@fclose($fp);
@unlink(ROOT.'install.php');
$DB->insert($database['tblpre'].'admin', $array);
echo '建立管理员成功';
}else{
exit('请填写用户名以及登陆密码');
}
然后succeed.php?username=08sec&password=08sec的MD5加密
然后就添加了一个管理员了。。
作者:y0umer
aaaa