cmseasy xss+csrf getshell

lib/tool/front_class.php
[php]
function __construct() {

if(preg_match('/(\'|")/', $_POST['username']) || preg_match('/(\'|")/', $_GET['username']) || preg_match('/(\'|")/', $_COOKIE['login_username'])){

exit('非法参数');

......

if (!MAGIC_QUOTES_GPC) {

$_GET = daddslashes($_GET);

$_POST = daddslashes($_POST);

$_COOKIE = daddslashes($_COOKIE);

} //GPC=OFF才过滤跨站代码,为ON时不过滤.

$dfile = htmlspecialchars($_GET['dfile']);

foreach ($_GET as $key=>$value) {

unset($_GET[$key]);

if ($key == 'host'||$key == 'ftpip'||$key == 'request'||$key == 'notify_id'||$key == 'real_name') {

$_GET[$key]=$value;

continue;

}

$key=preg_replace('/[^\w-].*/','',$key);

if ($key == 'tag'||$key == 'keyword') {

$value=strip_tags(urldecode($value));

$value=str_replace(' ','+',$value);

if(preg_match('/union/i',$value) || preg_match('/"/i',$value) ||preg_match('/\'/i',$value)){

exit('非法参数');

}

}

else

$value=preg_replace('/[^\w-].*/','',$value);

$_GET[$key]=$value;

}

self::$get=$_GET;

self::$post=$_POST; //GET过滤的比较多,POST紧紧就过滤了单双引号。

self::$get['dfile'] = $dfile;

...... }
[/php]

lib/default/archive_act.php
[php]
function orders_action() {

$this->view->aid = trim(front::get('aid'));

if (front::post('submit')) {

$this->orders = new orders();

$row = $this->orders->getrow("","adddate DESC");

//var_dump(time());

if($row['adddate'] && time() - $row['adddate'] <= intval(config::get('order_time'))){

alerterror('操作频繁,请稍后再试');

return;

}

if (front::$post['telphone'] == '') {

alerterror('联系电话为必填!');

return;

}

front::$post['mid'] = $this->view->user['userid'] ? $this->view->user['userid'] : 0;

front::$post['adddate'] = time();

front::$post['ip'] = front::ip();

if (isset(front::$post['aid'])) {

$aidarr = front::$post['aid'];

unset(front::$post['aid']);

foreach ($aidarr as $val) {

front::$post['aid'].=$val . ',';

front::$post['pnums'].=front::$post['thisnum'][$val] . ',';

}

} else {

front::$post['aid'] = $this->view->aid;

}

if (!isset(front::$post['logisticsid']))

front::$post['logisticsid'] = 0;

front::$post['oid'] = date('YmdHis') . '-' . front::$post['logisticsid'] . '-' . front::$post['mid'] . '-' . front::$post['payname'];

$insert = $this->orders->rec_insert(front::$post); //没过滤就直接插入数据库了。

......

}
[/php]

访问http://localhost/index.php?case=archive&act=orders&aid=1

在单位名称里插入跨站代码
[php]