我目前正在写的是恢复一个Joomla网站python脚本。它实际上是基于该漏洞发布here。 我怀疑,我瞄准PHP脚本不应该被直接调用。当我运行我的脚本反对它,它返回,
这里是我怀疑的功能是负责!
// Import configuration
masterSetup();
$retArray = array(
'status' => true,
'message' => null
);
$enabled = AKFactory::get('kickstart.enabled', false);
if($enabled)
{
$task = getQueryParam('task');
switch($task)
{
case 'ping':
// ping task - realy does nothing!
$timer = AKFactory::getTimer();
$timer->enforce_min_exec_time();
break;
case 'startRestore':
AKFactory::nuke(); // Reset the factory
// Let the control flow to the next step (the rest of the code is common!!)
case 'stepRestore':
$engine = AKFactory::getUnarchiver(); // Get the engine
$observer = new RestorationObserver(); // Create a new observer
$engine->attach($observer); // Attach the observer
$engine->tick();
$ret = $engine->getStatusArray();
if( $ret['Error'] != '' )
{
$retArray['status'] = false;
$retArray['done'] = true;
$retArray['message'] = $ret['Error'];
}
elseif( !$ret['HasRun'] )
{
$retArray['files'] = $observer->filesProcessed;
$retArray['bytesIn'] = $observer->compressedTotal;
$retArray['bytesOut'] = $observer->uncompressedTotal;
$retArray['status'] = true;
$retArray['done'] = true;
}
else
{
$retArray['files'] = $observer->filesProcessed;
$retArray['bytesIn'] = $observer->compressedTotal;
$retArray['bytesOut'] = $observer->uncompressedTotal;
$retArray['status'] = true;
$retArray['done'] = false;
$retArray['factory'] = AKFactory::serialize();
}
break;
这里是主导安装()
function masterSetup()
{
// ------------------------------------------------------------
// 1. Import basic setup parameters
// ------------------------------------------------------------
$ini_data = null;
// In restore.php mode, require restoration.php or fail
if(!defined('KICKSTART'))
{
// This is the standalone mode, used by Akeeba Backup Professional. It looks for a restoration.php
// file to perform its magic. If the file is not there, we will abort.
$setupFile = 'restoration.php';
if( !file_exists($setupFile) )
{
// Uh oh... Somebody tried to pooh on our back yard. Lock the gates! Don't let the traitor inside!
AKFactory::set('kickstart.enabled', false);
return false;
}
// Load restoration.php. It creates a global variable named $restoration_setup
require_once $setupFile;
$ini_data = $restoration_setup;
if(empty($ini_data))
{
// No parameters fetched. Darn, how am I supposed to work like that?!
AKFactory::set('kickstart.enabled', false);
return false;
}
AKFactory::set('kickstart.enabled', true);
}
else
{
// Maybe we have $restoration_setup defined in the head of kickstart.php
global $restoration_setup;
if(!empty($restoration_setup) && !is_array($restoration_setup)) {
$ini_data = AKText::parse_ini_file($restoration_setup, false, true);
} elseif(is_array($restoration_setup)) {
$ini_data = $restoration_setup;
}
}
我的问题是,是不是解析,以功能并强制函数返回true可能旁路参数?
我想不会永远但如果函数参数获取从http请求那么它可能例如下面可以绕过
以下几条清除$ _REQUEST,但它确实没有明确$_POST和$_GET因此离开旁路的差距
if(!empty($_REQUEST))
{
foreach($_REQUEST as $key => $value)
{
unset($_REQUEST[$key]);
}
}
在我的情况下,它只是避免了函数返回默认
function getQueryParam( $key, $default = null )
{
if(array_key_exists($key, $_REQUEST)) {
$value = $_REQUEST[$key];
} elseif(array_key_exists($key, $_POST)) {
$value = $_POST[$key];
} elseif(array_key_exists($key, $_GET)) {
$value = $_GET[$key];
} else {
return $default;
}
return $value;
}