### 简要描述:
cmseasy 管理员身份 后台缓存配置文件,没有过滤一个字符导致getshell(3) 哥就是要找完所有后台shell,让你们后台无处可找,呵呵..........
### 详细说明:
直接看代码:
union_admin.php:(lines:123-138):
```
if (front::post('submit') &&$this->manage->vaild()) {
$this->manage->filter($this->Exc);
$this->manage->add_before($this);
$this->manage->save_before();
$path = ROOT.'/config/union.php';
$content = file_get_contents($path);
foreach(front::$post['setting'] as $key=>$val) {
$content = preg_replace("/'$key'=>'(.*?)',/is","'$key'=>'$val',", $content);
//preg_match_all("/'".$key."'=>'(.*?)',/isu",$content,$out);
//var_dump($out);
//$content = str_replace_once($out[1][0],$val,$content);
}
//exit;
file_put_contents(ROOT.'/config/union.tmp.php',$content);
if($_GET['site']!='default') {
```
提交过来的数据通过这一句
$content = preg_replace("/'$key'=>'(.*?)',/is","'$key'=>'$val',", $content);
\' 被转换成为了\\'所以问题就出现了
我们到后台 如图所示:
[<img src="https://images.seebug.org/upload/201409/121724087959b6360fffe601a503704af392abb1.png" alt="38.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/121724087959b6360fffe601a503704af392abb1.png)
我们在看看缓存文件是否生成
[<img src="https://images.seebug.org/upload/201409/1217260066c96f357a94518151c54b65602103ac.png" alt="39.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/1217260066c96f357a94518151c54b65602103ac.png)
[<img src="https://images.seebug.org/upload/201409/121726092ed00e2a698bfb678f456f76bcc7c05c.png" alt="40.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/121726092ed00e2a698bfb678f456f76bcc7c05c.png)
ok 到这里就演示完毕了
### 漏洞证明:
京公网安备 11010502034610号
暂无评论