/*******************************************************/
/* csdjcms < V 3.0 getshell Vulnerability /* ======================== /* By: : Kn1f3 /* E-Mail : 681796@qq.com /*******************************************************/ csdjcms 一款YY黑客与YY肥猪流喜欢用的唱歌网站。。 csdjcms V 2.5 code [php]//老规矩首先首页开始看 include_once("include/install.php"); if(S_IsInstall==0){ header("Location:install/install.php"); } include_once("include/label.php"); if(S_Webmode==1 or !file_exists("index.html")){ //缓存区 $cache_id ='index_'; if(!($cache_opt->start($cache_id))){ echo GetTemp("index.html",0); $cache_opt->end(); } } else{ header("Location:index.html"); } //看他配置吧 function SafeRequest($key,$mode,$isfilter=''){ set_magic_quotes_runtime(0); $magic= get_magic_quotes_gpc(); switch ($mode){ case 'post': $value=isset($_POST[$key]) ?$magic?trim($_POST[$key]):addslashes(trim($_POST[$key])) : ''; break; case 'get': $value=isset($_GET[$key]) ?$magic?trim($_GET[$key]):addslashes(trim($_GET[$key])) : ''; break; default: $value=isset($_POST[$key]) ?$magic?trim($_POST[$key]):addslashes(trim($_POST[$key])) : ''; if($value==""){ $value=isset($_GET[$key]) ?$magic?trim($_GET[$key]):addslashes(trim($_GET[$key])) : ''; } break; } if($isfilter!=''){ $value=lib_replace_end_tag($value); } return $value; } //变量的提交进行了addslashes安全过滤 //研究了半天的源码发现后台的严重出现了大的安全问题 081 include "../include/conn.php"; include "../include/function.php"; include "admin_version.php"; include "admin_loginstate.php"; //问题出在这个文件当中 //跟入 if(empty($_COOKIE['S_AdminID'])){ //首先看是否存在s_adminid这个cooke echo "<script>window.location='admin_login.php'</script>"; } elseif($_COOKIE['S_Login']!=md5($_COOKIE['S_AdminID'].$_COOKIE['S_AdminUserName'].$_COOKIE['S_AdminPassWord'].$_COOKIE['S_Permission'])){ //这里就是问题的关键之处了 如果s_login 的值等于 四个cookie 相加的md5加密,即可直接验证通过 echo "<script>window.parent.location='admin_login.php'</script>"; } //后台权限判断 function SystemPer($Column){ if(empty($_COOKIE['S_Permission'])){ die("<script>jAlert('对不起,您无权限操作此功能!','操作错误',function(R){window.location='javascript:history.go(-1)';})</script>"); }else{ $SystemPermission=explode(",",$_COOKIE['S_Permission']); //权限的判断,用“,”来分割成数组 $StateOK=0; $ArrSystemPermission=count($SystemPermission); for($k=0;$k<$ArrSystemPermission;$k++){ if($SystemPermission[$k]==$Column){ //判断 $StateOK=1; } } if($StateOK==0){ die("<script>jAlert('对不起,您无权限操作此功能!','操作错误',function(R){window.location='javascript:history.go(-1)';})</script>"); } } } //构造淫荡的cookies //S_Permission //1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 //S_Login //md5(AdminID+AdminUserName+AdminPassWord+S_Permission) //S_AdminUserName //1 //S_AdminPassWord //1 //S_AdminID //1 后台成功绕过。[/php] [php] //看看3.0版本,也是一样 <?php # Name: PHP版程氏音乐CMS管理系统 v3.0 # Author: 程氏<[url=mailto:web@chshcms.com]web@chshcms.com[/url]> [QQ:848769359] # Homepage:[url=http://www.chshcms.cn/]http://www.chshcms.cn/[/url] $CS_Path=$_SERVER['PHP_SELF']; $CS_Pathall=explode("/",$CS_Path); $CS_Admin=$CS_Pathall[1]."/"; if(empty($_COOKIE['CS_AdminID'])){ echo "<script>window.parent.location='".CS_WebPath.$CS_Admin."login.php';</script>"; } elseif($_COOKIE['CS_Login']!=md5($_COOKIE['CS_AdminID'].$_COOKIE['CS_AdminUserName'].$_COOKIE['CS_AdminPassWord'].$_COOKIE['CS_Quanx'])){ echo "<script>window.parent.location='".CS_WebPath.$CS_Admin."login.php'</script>"; } //后台权限判断 function SystemPer($Column){ if(empty($_COOKIE['CS_Quanx'])){ die("<script>alert('对不起,您无权限操作此功能!');window.location='javascript:history.go(-1);'</script>"); exit(); }else{ $SystemPermission=explode(",",$_COOKIE['CS_Quanx']); $StateOK=0; $ArrSystemPermission=count($SystemPermission); for($k=0;$k<$ArrSystemPermission;$k++){ if($SystemPermission[$k]==$Column){ $StateOK=1; } } if($StateOK==0){ die("<script>alert('对不起,您无权限操作此功能!');window.location='javascript:history.go(-1);'</script>"); exit(); } }[/php]