明御网关

g参数过滤
(\/\*[\s\S]*\*\/)|(\%n\%s)|(\s+and\s+)|(\\bonmouseover\s*=)|(\\bfunction\()|(\\bdocument\.)|(:prompt\\b)|(\\bprompt\()|(\\bsum\()|(\\bcmd\|\')|(\'\s+[\s\S]*\s+\')|(\'\s+\')|(confirm\()|(\\becho\s+)|(:alert\\b)|(\\beval\s*\()|(\\bor\s+[\s\S]*=[\s\S]*)|(\\band\s+[\s\S]*=[\s\S]*)|(\.\.\/)|(\$\(\.\.\/)|(window\[location\])|(window\[\"location\"\])|(window\[\'location\'\])|(window\.location)|(\.\.\/)|(\s*<\s*img\s*)|(\s*<\s*iframe\s*)|(\\bonerror\s*)|(\\bsleep\s*)|(\\balert\(\s*)|(\\bjavascript:\s*)|(\s*ping\s-n\s*)|(\s+or\s+)|(\\bexec\s+)|(\\bmaster\s+)|(\\btruncate\s+)|(\\bdeclare\s+)|(\s+insert\s+)|(\\bselect\s+)|(\\bdelete\s+)|(\\bcount\s*\()|(\s+chr\s*\()|(\s+mid\s*\()|(\s+chr\s*\()|(\s+chr\s*\()

fopen
public function downloadFile($filename, $filepath, $url) 🌹w
?url=captureobj/name/filename get
if (!$this->filename_check_suffix($url_params[2], 'pcap') || !$this->filename_check($url_params[2])) { 
等待绕过


eval
function communicationDataSMS($conf){
无法动调，先不急

function sysSortArray($ArrayData, $KeyName1, $SortOrder1 = "SORT_ASC", $SortType1 = "SORT_REGULAR")
涉及到sql操作，还没看懂

file_get_contents
$ret = file_get_contents($gwUrl.$param_data['post_data']);
无法动调，先不急
$soapParam = file_get_contents("/mnt/proxy_dir/attachements/sms/".$conf[srcfilename]);
无法动调，先不急


move_uploaded_file
?url=auth_user_grp/import
AAAGroupObj->getparam  move_uploaded_file 疑似有00截断
没有00截断，版本过高

readfile
export_File($_param['cert_file_name']);
file_access_control了，绕不过

file_put_contents
 file_put_contents($param['index'] . 'index.htm', $html_content); xss
 index.htm不是默认存在的的