下载并本地安装最新版的thinksns
来到/apps/admin/Lib/Action/ConfigAction.class.php
跟进到第2244行
问题在函数setUcenter()
设置ucenter的地方
public function setUcenter() {
// 读取文件
if ($_POST) {
if (! file_exists ( CONF_PATH . '/uc_config.inc.php' ))
touch ( CONF_PATH . '/uc_config.inc.php' );
if (! is_writable ( CONF_PATH . '/uc_config.inc.php' ))
$this->error ( CONF_PATH . '/uc_config.inc.php 文件不可写' );
if (isset ( $_POST ['ucenter_open'] ) && isset ( $_POST ['ucenter_config'] )) {
$ucopen = intval ( $_POST ['ucenter_open'] );
$content = "<?php
define('UC_SYNC', {$ucopen});
" . $_POST ['ucenter_config'];
file_put_contents ( CONF_PATH . '/uc_config.inc.php', $content );
}
$this->success ( '保存成功' );
}
$config = file_get_contents ( CONF_PATH . '/uc_config.inc.php' );
preg_match ( '/\'UC_SYNC\', ([0|1])/', $config, $match );
$uc_open = intval ( $match [1] );
$config = str_replace ( array (
"<?php",
"define('UC_SYNC', 0);",
"define('UC_SYNC', 1);"
), '', $config );
$config = trim ( $config );
$this->pageKeyList = array (
'ucenter_open',
'ucenter_config'
);
$this->opt ['ucenter_open'] = array (
1 => L ( 'PUBLIC_OPEN' ),
0 => L ( 'PUBLIC_CLOSE' )
);
$data ['ucenter_open'] = $uc_open;
$data ['ucenter_config'] = $config;
$this->savePostUrl = U ( 'admin/Config/setUcenter' );
$this->displayConfig ( $data );
}
其中
$content = "<?php
define('UC_SYNC', {$ucopen});
" . $_POST ['ucenter_config'];
和
file_put_contents ( CONF_PATH . '/uc_config.inc.php', $content );
中传入的ucenter_config是完全可控的
也就是说 我传入一个 phpinfo();?>123
就能在生成的 uc_config.inc.php 中插入phpinfo
复现流程
登陆后台---来到系统---ucenter配置---选择开启,并且插入phpinfo();?>123 ----保存
然后成功执行phpinfo
访问wwwroot/config/uc_config.inc.php 即是被插入phpinfo的文件
顺便为啥没法传图片。。。。。。
|