### 简要描述: 第二弹 ### 详细说明: \srun3\web\jp.php ``` $f = intval( $_GET['f'] ); ...... $user_ip = $_GET['ip']; if ( $user_ip == "" ) { if ( $fd = popen( "/srun3/bin/online_user -4 -f ".$f, "r" ) ) //这里不行 { $content = fread( $fd, 1024 ); fclose( $fd ); } $array = explode( "\t", $content ); $user_login_name = $array[2]; $user_ip = $array[3]; } else { if ( $fd = popen( "/srun3/bin/online_user -4 -i ".$user_ip, "r" ) ) //这里命令执行 { $content = fread( $fd, 1024 ); fclose( $fd ); } $array = explode( "\t", $content ); $user_login_name = $array[2]; $user_ip = $array[3]; } ``` 也可写shell。脱裤。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/252254511b676ce254130c34435ac228a0f9c1af.png" alt="jp.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/252254511b676ce254130c34435ac228a0f9c1af.png) [<img src="https://images.seebug.org/upload/201405/2522550897ca42ee9dbf3223adc42b5cf8bff6c9.png" alt="jp1.png" width="600"...
### 简要描述: 第二弹 ### 详细说明: \srun3\web\jp.php ``` $f = intval( $_GET['f'] ); ...... $user_ip = $_GET['ip']; if ( $user_ip == "" ) { if ( $fd = popen( "/srun3/bin/online_user -4 -f ".$f, "r" ) ) //这里不行 { $content = fread( $fd, 1024 ); fclose( $fd ); } $array = explode( "\t", $content ); $user_login_name = $array[2]; $user_ip = $array[3]; } else { if ( $fd = popen( "/srun3/bin/online_user -4 -i ".$user_ip, "r" ) ) //这里命令执行 { $content = fread( $fd, 1024 ); fclose( $fd ); } $array = explode( "\t", $content ); $user_login_name = $array[2]; $user_ip = $array[3]; } ``` 也可写shell。脱裤。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/252254511b676ce254130c34435ac228a0f9c1af.png" alt="jp.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/252254511b676ce254130c34435ac228a0f9c1af.png) [<img src="https://images.seebug.org/upload/201405/2522550897ca42ee9dbf3223adc42b5cf8bff6c9.png" alt="jp1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2522550897ca42ee9dbf3223adc42b5cf8bff6c9.png)
