siteserve的前台某一个点

Joseph · 2020 年4 月 7 日 03:29

因为这个洞有一定的限制但不影响后台利用所以发出来大家参考学习,懂.net的可以深入去挖掘，我只能说有其他的点

public void Page_Load(object sender, EventArgs e)
{
string a = base.Request.QueryString["type"];
string userKeyPrefix = base.Request["userKeyPrefix"];
NameValueCollection attributes = new NameValueCollection();
AuthenticatedRequest request = new AuthenticatedRequest();
if (a == "Backup")
{
int siteId = TranslateUtils.ToInt(base.Request.Form["siteID"], 0);
string backupType = base.Request.Form["backupType"];
attributes = this.Backup(siteId, backupType, userKeyPrefix);
}
else if (a == "Recovery")
{
int siteId2 = TranslateUtils.ToInt(base.Request.Form["siteID"], 0);
bool isDeleteChannels = TranslateUtils.ToBool(base.Request.Form["isDeleteChannels"]);
bool isDeleteTemplates = TranslateUtils.ToBool(base.Request.Form["isDeleteTemplates"]);
bool isDeleteFiles = TranslateUtils.ToBool(base.Request.Form["isDeleteFiles"]);
bool isZip = TranslateUtils.ToBool(base.Request.Form["isZip"]);
string path = base.Request.Form["path"];
bool isOverride = TranslateUtils.ToBool(base.Request.Form["isOverride"]);
bool isUseTable = TranslateUtils.ToBool(base.Request.Form["isUseTable"]);
attributes = this.Recovery(siteId2, isDeleteChannels, isDeleteTemplates, isDeleteFiles, isZip, path, isOverride,
}

backup我们可以忽略能够造成动威胁不⼤，我们主要观察的是Recovery。

string userKeyPrefix = base.Request["userKeyPrefix"];
NameValueCollection attributes = new NameValueCollection();
AuthenticatedRequest request = new AuthenticatedRequest();

关于这⾥的NameValueCollection我要说⼀下就是在header中加⼀个xml解析的头否则post提交的内
容⽆法解析⽽userkeyprefix可任意输⼊

attributes = this.Recovery(siteId2, isDeleteChannels, isDeleteTemplates, isDeleteFiles, isZip, path, isOverride, isUseTable
}

跟⼊调⽤函数

BackupUtility.RecoverySite(siteId, isDeleteChannels, isDeleteTemplates, isDeleteFiles, isZip, PageUtils.UrlDecode(path
request.AddSiteLog(siteId, "恢复备份数据", request.AdminName);
waitingTaskNameValueCollection = AjaxManager.GetWaitingTaskNameValueCollection("数据恢复成功

继续跟进RecoverySite

public static void RecoverySite(int siteId, bool isDeleteChannels, bool isDeleteTemplates, bool isDeleteFiles, bool isZip
{
ImportObject importObject = new ImportObject(siteId, administratorName);
SiteInfo siteInfo = SiteManager.GetSiteInfo(siteId);
string text = path;
if (isZip)
{
text = PathUtils.GetTemporaryFilesPath(EBackupTypeUtils.GetValue(EBackupType.Site));
DirectoryUtils.DeleteDirectoryIfExists(text);
DirectoryUtils.CreateDirectoryIfNotExists(text);
ZipUtils.ExtractZip(path, text);
}

核⼼代码来了！当iszip为true时则进⼊ExtractZip函数进⾏压缩包解压。此处的path和text由我们
的from中的path传⼊，iszip也可控

利用条件传入一个zip