以前挖的,现在发出来,好像还没有修复,帝国网站管理系统7.2正式版或者以前版本后台注入漏洞,这个漏洞需要管理员权限,所以比较鸡肋。
先看源代码,漏洞主要在函数editcalss函数中,在文件
upload\e\class\classfunc.php中:
函数代码如下:
function EditClass($add,$userid,$username){
global $empire,$class_r,$dbtbpre;
//修改外部栏目
if($add[ecmsclasstype])
{
EditWbClass($add,$userid,$username);
}
$add[classid]=(int)$add[classid];
$add[classpath]=trim($add[classpath]);
$checkclasspath=$add['classpath'];
if($add['oldclasspath']<>$add['pripath'].$add['oldcpath'])//更换父栏目
{
$add[classpath]=$add['oldcpath'];
}
if(!$add[classname]||!$add[classpath]||!$add[modid]||!$add[classid]){
printerror("EmptyClass","");
}
if($add[islast]&&(!$add[newstempid]||!$add[listtempid])){
printerror("LastMustChange","");
}
//操作权限
CheckLevel($userid,$username,$classid,"class");
$add=DoPostClassVar($add);
$add[oldmodid]=(int)$add[oldmodid];
//改变目录
$classpath=$add[pripath].$add[classpath];
if($add[oldclasspath]<>$classpath&&$checkclasspath==$add['oldcpath']){
if(file_exists("../../".$classpath)){//检测目录是否存在
printerror("ReClasspath","");
}
}
//取得表名
$tabler=GetModTable($add[modid]);
$tabler[tid]=(int)$tabler[tid];
//修改大栏目
if(!$add[islast]){
//改变大栏目
if($add[bclassid]<>$add[oldbclassid]){
//转到主栏目
if(empty($add[bclassid])){
$sonclass="";
$featherclass="";
//取得本栏目的子栏目
$r=$empire->fetch1("select sonclass,featherclass,classpath from {$dbtbpre}enewsclass where classid='$add[classid]'");
//改变父栏目的子栏目
$where=ReturnClass($r[featherclass]);
if(empty($where)){
$where="classid=0";
}
$osql=$empire->query("select sonclass,classid from {$dbtbpre}enewsclass where ".$where);
while($o=$empire->fetch($osql)){
$newsonclass=str_replace($r[sonclass],"|",$o[sonclass]);
$uosql=$empire->query("update {$dbtbpre}enewsclass set sonclass='$newsonclass' where classid='$o[classid]'");
}
//修改子栏目的父栏目
$osql=$empire->query("select featherclass,classid,classpath from {$dbtbpre}enewsclass where featherclass like '%|".$add[classid]."%|'");
while($o=$empire->fetch($osql)){
$newclasspath=str_replace($r[classpath]."/",$classpath."/",$o[classpath]);
$newfeatherclass=str_replace($r[featherclass],"|",$o[featherclass]);
$uosql=$empire->query("update {$dbtbpre}enewsclass set featherclass='$newfeatherclass',classpath='$newclasspath' where classid='$o[classid]'");
}
}
//转到中级栏目
else
{
//大栏目跟原栏目相同
if($add[classid]==$add[bclassid]){
printerror("BclassIsself","");
}
//取得现在大栏目的值
$b=$empire->fetch1("select featherclass,sonclass,islast,wburl from {$dbtbpre}enewsclass where classid='$add[bclassid]'");
//检测大栏目是否为终级栏目
if($b[islast])
{
printerror("BclassNotLast","");
}
if($b[wburl])
{
printerror("BclassNotWb","");
}
//是否非法父栏目
if($b[featherclass]){
$c_nb_r=explode("|".$add[classid]."|",$b[featherclass]);
if(count($c_nb_r)<>1){
printerror("BclassIssmall","");
}
}
if(empty($b[featherclass])){
$b[featherclass]="|";
}
$featherclass=$b[featherclass].$add[bclassid]."|";
//取得现在栏目本身的值
$o=$empire->fetch1("select featherclass,sonclass,classpath from {$dbtbpre}enewsclass where classid='$add[classid]'");
//修改子栏目的父栏目
$osql=$empire->query("select featherclass,classid,classpath from {$dbtbpre}enewsclass where featherclass like '%|".$add[classid]."|%'");
while($or=$empire->fetch($osql)){
$newclasspath=str_replace($o[classpath]."/",$classpath."/",$or[classpath]);
if(empty($o[featherclass])){
$newfeatherclass=$b[featherclass].$add[bclassid].$or[featherclass];
}
else{
$newfeatherclass=str_replace($o[featherclass],$featherclass,$or[featherclass]);
}
$uosql=$empire->query("update {$dbtbpre}enewsclass set featherclass='$newfeatherclass',classpath='$newclasspath' where classid='$or[classid]'");
}
//改变旧大栏目的所有子栏目
$owhere=ReturnClass($o[featherclass]);
if(empty($owhere)){
$owhere="classid=0";
}
$oosql=$empire->query("select sonclass,classid from {$dbtbpre}enewsclass where ".$owhere);
while($oo=$empire->fetch($oosql)){
$newsonclass=str_replace($o[sonclass],"|",$oo[sonclass]);
$usql=$empire->query("update {$dbtbpre}enewsclass set sonclass='$newsonclass' where classid='$oo[classid]'");
}
//改变新大栏目的子栏目
$where=ReturnClass($featherclass);
if(empty($where)){
$where="classid=0";
}
$nbsql=$empire->query("select sonclass,classid from {$dbtbpre}enewsclass where ".$where);
while($nb=$empire->fetch($nbsql)){
if(empty($nb[sonclass]))
{$nb[sonclass]="|";}
$newsonclass=$nb[sonclass].substr($o[sonclass],1);
$usql=$empire->query("update {$dbtbpre}enewsclass set sonclass='$newsonclass' where classid='$nb[classid]'");
}
}
$change=",bclassid=$add[bclassid],featherclass='$featherclass'";
}
//绑定域名应用于子栏目
if($add['UrlToSmall']){
UpdateSmallClassDomain($add['classid'],$add['classurl'],$classpath);
}
//wap模板应用于子栏目
if($add['wapstylesclass'])
{
$empire->query("update {$dbtbpre}enewsclass set wapstyleid='$add[wapstyleid]' where featherclass like '%|".$add[classid]."|%'");
}
//修改数据库资料
$sql=$empire->query("update {$dbtbpre}enewsclass set classname='$add[classname]',classpath='$classpath',classtype='$add[classtype]',newline=$add[newline],hotline=$add[hotline],goodlin