如何绕过PHP中的函数参数?

2024-09-24 12:24:43 发布

您现在位置:Python中文网/ 问答频道 /正文
6577 3

我目前正在编写一个python脚本来恢复Joomla网站。 它实际上基于发布的缺陷here

我怀疑我针对的PHP脚本不应该被直接调用。 当我对它运行脚本时,它返回这个

{“status”:false,“message”:“Invalid login”}

这就是我怀疑的职责!你知道吗

// Import configuration
masterSetup();

$retArray = array(
    'status'    => true,
    'message'   => null
);

$enabled = AKFactory::get('kickstart.enabled', false);

if($enabled)
{
    $task = getQueryParam('task');

    switch($task)
    {
        case 'ping':
            // ping task - realy does nothing!
            $timer = AKFactory::getTimer();
            $timer->enforce_min_exec_time();
            break;

        case 'startRestore':
            AKFactory::nuke(); // Reset the factory

            // Let the control flow to the next step (the rest of the code is common!!)

        case 'stepRestore':
            $engine = AKFactory::getUnarchiver(); // Get the engine
            $observer = new RestorationObserver(); // Create a new observer
            $engine->attach($observer); // Attach the observer
            $engine->tick();
            $ret = $engine->getStatusArray();

            if( $ret['Error'] != '' )
            {
                $retArray['status'] = false;
                $retArray['done'] = true;
                $retArray['message'] = $ret['Error'];
            }
            elseif( !$ret['HasRun'] )
            {
                $retArray['files'] = $observer->filesProcessed;
                $retArray['bytesIn'] = $observer->compressedTotal;
                $retArray['bytesOut'] = $observer->uncompressedTotal;
                $retArray['status'] = true;
                $retArray['done'] = true;
            }
            else
            {
                $retArray['files'] = $observer->filesProcessed;
                $retArray['bytesIn'] = $observer->compressedTotal;
                $retArray['bytesOut'] = $observer->uncompressedTotal;
                $retArray['status'] = true;
                $retArray['done'] = false;
                $retArray['factory'] = AKFactory::serialize();
            }
            break;

这里是MasterSetup()

  function masterSetup()
    {
        // ------------------------------------------------------------
        // 1. Import basic setup parameters
        // ------------------------------------------------------------

    $ini_data = null;

    // In restore.php mode, require restoration.php or fail
    if(!defined('KICKSTART'))
    {
        // This is the standalone mode, used by Akeeba Backup Professional. It looks for a restoration.php
        // file to perform its magic. If the file is not there, we will abort.
        $setupFile = 'restoration.php';

        if( !file_exists($setupFile) )
        {
            // Uh oh... Somebody tried to pooh on our back yard. Lock the gates! Don't let the traitor inside!
            AKFactory::set('kickstart.enabled', false);
            return false;
        }

        // Load restoration.php. It creates a global variable named $restoration_setup
        require_once $setupFile;
        $ini_data = $restoration_setup;
        if(empty($ini_data))
        {
            // No parameters fetched. Darn, how am I supposed to work like that?!
            AKFactory::set('kickstart.enabled', false);
            return false;
        }

        AKFactory::set('kickstart.enabled', true);
    }
    else
    {
        // Maybe we have $restoration_setup defined in the head of kickstart.php
        global $restoration_setup;
        if(!empty($restoration_setup) && !is_array($restoration_setup)) {
            $ini_data = AKText::parse_ini_file($restoration_setup, false, true);
        } elseif(is_array($restoration_setup)) {
            $ini_data = $restoration_setup;
        }
    }

我的问题是,是否有可能绕过解析为函数的参数并强制函数返回true?你知道吗


Tags: thefalsetrueifisstatussetupenabled
1条回答
网友
1楼 · 发布于 2024-09-24 12:24:43

我想不一定,但是如果函数参数是从http请求中获取的,那么它就有可能被绕过,例如

在这里,下面的命令清除$\u请求,但是它没有清除$_POST$_GET,因此留下了一个供绕过的间隙

if(!empty($_REQUEST))
{
    foreach($_REQUEST as $key => $value)
    {
        unset($_REQUEST[$key]);
    }
}

在我的例子中,它只是避免函数返回默认值

function getQueryParam( $key, $default = null )
{
    if(array_key_exists($key, $_REQUEST)) {
        $value = $_REQUEST[$key];
    } elseif(array_key_exists($key, $_POST)) {
        $value = $_POST[$key];
    } elseif(array_key_exists($key, $_GET)) {
        $value = $_GET[$key];
    } else {
        return $default;
    }
    return $value;
}

相关问题 更多 >

    编程相关推荐