(转载)天天团购系统 0DAY

首先是本地包含  
ajax.php

require_once MOD_PATH.$this->SetEvent($config['default_module']).'.mod.php';

//再看SetEvent

function SetEvent()

{

$modss = array('check'=>1,'getseller'=>1,'member'=>1);

$mod = (isset($_POST['mod']) ? $_POST['mod'] : $_GET['mod']);

if(!isset($modss)) { //程序员思想混乱了.估计老板没发工资

include(INCLUDE_PATH.'error_404.php');

exit;

}

$_POST['mod'] = $_GET['mod'] = $mod;

Return $mod;

}

那么mod.php结尾的那个能用呢？
以下是上传漏洞   
看modules\admin\tttuangou.mod.php  //后台文件！

class ModuleObject extends MasterObject{

var $city;

function ModuleObject($config){

$this->MasterObject($config); Load::logic('product');

$this->ProductLogic = new ProductLogic();

Load::logic('pay');

$this->PayLogic = new PayLogic();

Load::logic('me');

$this->MeLogic = new MeLogic();

Load::logic('order');

$this->OrderLogic = new OrderLogic();

$this -> config =$config;

$this->ID = (int) ($this->Post['id'] ? $this->Post['id'] : $this->Get['id']);

$this->Execute();

}

//很幸运地以上自定义函数都已经定义了

function Execute(){

switch($this->Code){

case 'varshow':

$this->Varshow();

break;

case 'varedit':

//忽略一堆东西

case 'dositelogo':

$this->doSiteLogoManager();

//再看doSiteLogoManager

function doSiteLogoManager()

{

//这里忽略一些没用的东西

$_FILES['uploads']['name'] = $FILES_O['uploads']['name'][$i];

//继续忽略

$default_type=array('jpg','pic','png','jpeg','bmp','gif'); $imgary=explode('.',$_FILES['uploads']['name']);

if(!in_array(strtolower($imgary[count($imgary)-1]),$default_type)){

$this->Messager('不允许上传的图片格式！');

}

//这里限制了后缀

$full_path = urldecode($this->Get['path']);

$fp_ary = explode('/', $full_path);

$file = $fp_ary[count($fp_ary)-1];

$dir = '';

for ($i=0;$i<count($fp_ary)-1;$i++)

{

if ($fp_ary[$i] != '.')

{

$dir .= $fp_ary[$i].'/';

}

}

$dir = './'.$dir; //o(∩_∩)o 哈哈 悲剧 path自定义名字可以了 直接上传JPG

require_once LIB_PATH . 'upload.han.php';

$upload_handler = new UploadHandler($_FILES, $dir, 'uploads' , true);

同时还发现2处没用的包含漏洞
modules\me.mod.php

function Readdmoney(){

$pay_code = (isset($_POST['pay']) ? $_POST['pay'] : $_GET['pay']); //没过滤

//忽略...

include_once('./modules/'.$pay_code.'.pay.php');

还有index.mod.php

function Readdmoney(){

$pay_code = (isset($_POST['pay']) ? $_POST['pay'] : $_GET['pay']); //没过滤

//忽略...

include_once('./modules/'.$pay_code.'.pay.php');

.pay.php只有3个在线支付文件还没什么用
一切GPC后的东西都是浮云 唯有超长字符截断了