利用post在Ecshop后台getshell的方法

feng 2013-01-17 2,922 ℃ 0条点评

admin/template.phpif ($_REQUEST['act'] == 'update_library')
{
check_authz_json('library_manage');
$html = stripslashes(json_str_iconv($_POST['html']));
$lib_file = '../themes/' . $_CFG['template'] . '/library/' . $_POST['lib'] . '.lbi'; //模板文件
$lib_file = str_replace("0xa", '', $lib_file); // 过滤 0xa 非法字符
$org_html = str_replace("\xEF\xBB\xBF", '', file_get_contents($lib_file));
if (@file_exists($lib_file) === true && @file_put_contents($lib_file, $html))//写出
{
@file_put_contents('../temp/backup/library/' . $_CFG['template'] . '-' . $_POST['lib'] . '.lbi', $org_html);
make_json_result('', $_LANG['update_lib_success']);
}
else
{
make_json_error(sprintf($_LANG['update_lib_failed'], 'themes/' . $_CFG['template'] . '/library'));
}
}

复制代码

那么找个比较方便调用了模板的文件
index.php

if ($act == 'cat_rec')
{
$rec_array = array(1 => 'best', 2 => 'new', 3 => 'hot');
$rec_type = !empty($_REQUEST['rec_type']) ? intval($_REQUEST['rec_type']) : '1';
$cat_id = !empty($_REQUEST['cid']) ? intval($_REQUEST['cid']) : '0';
include_once('includes/cls_json.php');
$json = new JSON;
$result = array('error' => 0, 'content' => '', 'type' => $rec_type, 'cat_id' => $cat_id);
$children = get_children($cat_id);
$smarty->assign($rec_array[$rec_type] . '_goods', get_category_recommend_goods($rec_array[$rec_type], $children)); // 推荐商品
$smarty->assign('cat_rec_sign', 1);
$result['content'] = $smarty->fetch('library/recommend_' . $rec_array[$rec_type] . '.lbi');//使用了模板文件该模板文件为recommend_best
echo 'library/recommend_' . $rec_array[$rec_type] . '.lbi';
echo $rec_array[$rec_type];
die($json->encode($result));
}