好不容易利用discuz x3.2的一个漏洞搞的一个shell拿到的一个插件,求分析开源!
<?php
if ( !defined( "IN_DISCUZ" ) || !defined( "IN_ADMINCP" ) )
{
exit( "Aecsse Denied" );
}
global $_G;
global $pluginid;
global $pluginarray;
$table1 = DB::table( "haoteam_vars" );
$table2 = DB::table( "haoteam_lang" );
$pname = $pluginarray['plugin']['identifier'];
$folder = DISCUZ_ROOT."source".DIRECTORY_SEPARATOR."plugin".DIRECTORY_SEPARATOR.$pname;
if ( !function_exists( "haoteam_validator" ) )
{
if ( file_exists( $folder.DIRECTORY_SEPARATOR."vars.func.php" ) )
{
require_once( $folder.DIRECTORY_SEPARATOR."vars.func.php" );
}
else
{
cpmsg( "plugin_not_found" );
}
}
if ( file_exists( $folder.DIRECTORY_SEPARATOR."cert.php" ) )
{
require_once( $folder.DIRECTORY_SEPARATOR."cert.php" );
$sid = $cert[5];
}
$uniqueid = $_G['setting']['siteuniqueid'] ? $_G['setting']['siteuniqueid'] : C::t( "common_setting" )->fetch( "siteuniqueid" );
$cert = array(
"qid" => $uniqueid,
"bbsUrl" => $_G['siteurl'],
"plugin" => $pname,
"sid" => $sid,
"siteurl" => $_G['setting']['siteurl']
);
$insurl = $_SERVER['QUERY_STRING'];
$sql1 = "\r\nCREATE TABLE IF NOT EXISTS `".$table1."` (\r\n `pluginvarid` mediumint(8) unsigned NOT NULL auto_increment,\r\n `pluginid` smallint(6) unsigned NOT NULL default '0',\r\n `identifier` varchar(50) NOT NULL,\r\n `displayorder` tinyint(3) NOT NULL default '0',\r\n `title` varchar(100) NOT NULL default '',\r\n `description` text NOT NULL,\r\n `variable` varchar(40) NOT NULL default '',\r\n `type` varchar(255) NOT NULL,\r\n `value` text NOT NULL,\r\n `extra` text NOT NULL,\r\n `module` varchar(255) NOT NULL,\r\n `submenu` varchar(255) NOT NULL,\r\n `subnum` int(10) NOT NULL,\r\n PRIMARY KEY (`pluginvarid`),\r\n KEY `pluginid` (`pluginid`)\r\n) ENGINE=MyISAM DEFAULT CHARSET=gbk;\r\nDELETE FROM {$table1} WHERE identifier = '{$pname}';";
if ( $admincp->isfounder && $_G['config']['plugindeveloper'] && file_exists( $folder.DIRECTORY_SEPARATOR."table".DIRECTORY_SEPARATOR."table_haoteam_lang.php" ) )
{
$sql2 = "CREATE TABLE IF NOT EXISTS ".$table2." (\r\n `id` mediumint(8) NOT NULL AUTO_INCREMENT,\r\n `pluginname` varchar(40) NOT NULL,\r\n `system` tinyint(1) NOT NULL DEFAULT '0',\r\n `variable` varchar(40) NOT NULL,\r\n `value` text NOT NULL,\r\n `module` varchar(255) NOT NULL,\r\n PRIMARY KEY (`id`)\r\n) ENGINE=MyISAM DEFAULT CHARSET=gbk;\r\nDELETE FROM {$table2} WHERE pluginname = '{$pname}';";
}
$table4 = DB::table( "piaobo_attachment" );
$table5 = DB::table( "piaobo_attachment_shar" );
$table6 = DB::table( "piaobo_attachment_extcredits" );
$table_all = array(
$table4,
$table5,
$table6
);
if ( $_GET['step'] )
{
sleep( 1 );
}
switch ( $_GET['step'] )
{
case "1" :
loadcache( $pname."_drk_developer" );
if ( !$_G['cache'][$pname."_drk_developer"] )
{
haoteam_validator( $pname.".plugin", 0, array( "check", "install", "upgrade", "vars.func" ) );
haoteam_check( "http://www.51piaobo.com/", $cert, array( "check", "install", "upgrade", "vars.func" ) );
}
cpmsg( unie( "检测环境完成,载入团队数据表……" ), "{$insurl}&step=2", "loading" );
break;
case "2" :
if ( $sql1 )
{
runquery( $sql1 );
}
cpmsg( unie( "载入好团队数据完成,导入语言包……" ), "{$insurl}&step=3", "loading" );
break;
case "3" :
if ( $sql2 )
{
runquery( $sql2 );
foreach ( $pluginarray['language'] as $key => $languages )
{
foreach ( $languages as $k => $langs )
{
$data['pluginname'] = $pname;
$data['system'] = 0;
$data['variable'] = $k;
$data['value'] = $langs;
$data['module'] = $key;
C::t( "#".$pname."#haoteam_lang" )->insert( $data );
}
}
unset( $data );
}
cpmsg( unie( "导入语言包完成……" ), "{$insurl}&step=4", "loading" );
break;
case "4" :
foreach ( $table_all as $table )
{
if ( !check_table_is_exist( $table ) )
{
$table_tmp = str_ireplace( $_G['config']['db'][1]['tablepre'], "", $table );
$tmp = explode( "_", $table );
if ( $_G['config']['db'][1]['tablepre'] == $tmp[0] )
{
$table_tmp = $tmp[0].$table_tmp;
}
require_once( $folder."/install/install_".$table_tmp.".php" );
if ( $piaobo_install )
{
@unlink( $folder."/install/install_".$table_tmp.".php" );
}
}
}
savecache( $pname."_tables", $table_all );
foreach ( $pluginarray['haoteamvars'] as $vars )
{
$data = array(
"pluginid" => $pluginid
);
foreach ( $vars as $key => $val )
{
$data[$key] = $val;
}
C::t( "#".$pname."#haoteam_vars" )->insert( $data );
}
cpmsg( unie( "导入应用数据表完成..." ), "{$insurl}&step=5", "loading" );
break;
case "5" :
C::t( "common_plugin" )->update( $pluginid, array( "available" => "1" ) );
updatecache( array( "plugin", "setting", "styles" ) );
cleartemplatecache( );
updatemenu( "plugin" );
cpmsg( unie( "清理缓存……" ), "{$insurl}&step=6", "loading" );
break;
case "6" :
if ( file_exists( $folder."/install/install_import.php" ) )
{
require_once( $folder."/install/install_import.php" );
}
cpmsg( unie( "数据导入及临时文件创建" ), "{$insurl}&step=7", "loading" );
break;
case "7" :
$file_exists = $folder."/install/install_wsq.php";
if ( file_exists( $file_exists ) )
{
cpmsg( unie( "是否启用微社区模块(不影响传统论坛功能)" ), "{$insurl}&step=8", "form", array( ), "", TRUE, ADMINSCRIPT.( "?".$insurl."&step=9" ) );
}
else
{
cpmsg( unie( "数据导入及临时文件创建" ), "{$insurl}&step=9", "loading" );
}
break;
case "8" :
require_once( $folder."/install/install_wsq.php" );
cpmsg( unie( "数据导入及临时文件创建" ), "{$insurl}&step=10", "loading" );
break;
case "9" :
$finish = TRUE;
break;
default :
cpmsg( unie( "开始安装前的准备,检测环境..." ), "{$insurl}&step=1", "loading" );
}
?>