### 简要描述: cmseasy 管理员身份 后台缓存配置文件,没有过滤一个字符导致getshell(3) 哥就是要找完所有后台shell,让你们后台无处可找,呵呵.......... ### 详细说明: 直接看代码: union_admin.php:(lines:123-138): ``` if (front::post('submit') &&$this->manage->vaild()) { $this->manage->filter($this->Exc); $this->manage->add_before($this); $this->manage->save_before(); $path = ROOT.'/config/union.php'; $content = file_get_contents($path); foreach(front::$post['setting'] as $key=>$val) { $content = preg_replace("/'$key'=>'(.*?)',/is","'$key'=>'$val',", $content); //preg_match_all("/'".$key."'=>'(.*?)',/isu",$content,$out); //var_dump($out); //$content = str_replace_once($out[1][0],$val,$content); } //exit; file_put_contents(ROOT.'/config/union.tmp.php',$content); if($_GET['site']!='default') { ``` 提交过来的数据通过这一句 $content = preg_replace("/'$key'=>'(.*?)',/is","'$key'=>'$val',", $content); \' 被转换成为了\\'所以问题就出现了 我们到后台 如图所示: [<img src="https://images.seebug.org/upload/201409/121724087959b6360fffe601a503704af392abb1.png" alt="38.png" width="600"...
### 简要描述: cmseasy 管理员身份 后台缓存配置文件,没有过滤一个字符导致getshell(3) 哥就是要找完所有后台shell,让你们后台无处可找,呵呵.......... ### 详细说明: 直接看代码: union_admin.php:(lines:123-138): ``` if (front::post('submit') &&$this->manage->vaild()) { $this->manage->filter($this->Exc); $this->manage->add_before($this); $this->manage->save_before(); $path = ROOT.'/config/union.php'; $content = file_get_contents($path); foreach(front::$post['setting'] as $key=>$val) { $content = preg_replace("/'$key'=>'(.*?)',/is","'$key'=>'$val',", $content); //preg_match_all("/'".$key."'=>'(.*?)',/isu",$content,$out); //var_dump($out); //$content = str_replace_once($out[1][0],$val,$content); } //exit; file_put_contents(ROOT.'/config/union.tmp.php',$content); if($_GET['site']!='default') { ``` 提交过来的数据通过这一句 $content = preg_replace("/'$key'=>'(.*?)',/is","'$key'=>'$val',", $content); \' 被转换成为了\\'所以问题就出现了 我们到后台 如图所示: [<img src="https://images.seebug.org/upload/201409/121724087959b6360fffe601a503704af392abb1.png" alt="38.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/121724087959b6360fffe601a503704af392abb1.png) 我们在看看缓存文件是否生成 [<img src="https://images.seebug.org/upload/201409/1217260066c96f357a94518151c54b65602103ac.png" alt="39.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/1217260066c96f357a94518151c54b65602103ac.png) [<img src="https://images.seebug.org/upload/201409/121726092ed00e2a698bfb678f456f76bcc7c05c.png" alt="40.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/121726092ed00e2a698bfb678f456f76bcc7c05c.png) ok 到这里就演示完毕了 ### 漏洞证明:
