社区首页 › 漏洞情报 › mac cms拿shell第二弹

90_ 发表于 2015-9-18 11:45:00

mac cms拿shell第二弹

90sec@Joseph
一切还是源自论坛的一个好友，昨晚审计出了一个写入shell但总感觉不过瘾又进行深入了一下cms

看着蛋疼的后台也阻挡不我要拿下shell脚步
$m = be('get','m');
$xmlpath = MAC_ROOT ."/inc/config/timmingset.xml";
$doc = new DOMDocument();
$doc -> formatOutput = true;
$doc -> load($xmlpath);
$xmlnode = $doc -> documentElement;
$timmingnodes = $xmlnode->getElementsByTagName("timming");
 
foreach($timmingnodes as $timmingnode){
        $tname = $timmingnode->getElementsByTagName("name")->item(0)->nodeValue;
    $tdes = $timmingnode->getElementsByTagName("des")->item(0)->nodeValue;
    $tstatus = $timmingnode->getElementsByTagName("status")->item(0)->nodeValue;
    $tfile = $timmingnode->getElementsByTagName("file")->item(0)->nodeValue;
    $tparamets = $timmingnode->getElementsByTagName("paramets")->item(0)->nodeValue;
    $tweeks = $timmingnode->getElementsByTagName("weeks")->item(0)->nodeValue;
    $thours = $timmingnode->getElementsByTagName("hours")->item(0)->nodeValue;
    $truntime = $timmingnode->getElementsByTagName("runtime")->item(0)->nodeValue;
     
    if(!empty($truntime)) { $oldweek= date('w',$truntime); $oldhours= date('H',$truntime); }
    $curweek= date('w',time()) ;        $curhours= date("H",time());
     
        if(strlen($oldhours)==1 && intval($oldhours) <10){ $oldhours= '0'.$oldhours; }
        if(strlen($curhours)==1 && intval($curhours) <10){ $curhours= substr($curhours,1,1); }
        if( (!empty($m) && $tname==$m) || ($tstatus==1 && ( empty($truntime) || ($oldweek."-".$oldhours) != ($curweek."-".$curhours) && strpos($tweeks,$curweek)>-1 && strpos($thours,$curhours)>-1)) ) {
                $timmingnode->getElementsByTagName("runtime")->item(0)->nodeValue = time();
                $doc -> save($xmlpath);
                $p = array();
            $m = $tparamets;
            $par = explode('-',$m);
            $parlen = count($par);
            $ac = $par;
             
            $colnum = array('id','pg');
            if($parlen>=2){
                    $method = $par;
                     for($i=2;$i<$parlen;$i+=2){
                    $p[$par[$i]] = in_array($par[$i],$colnum) ? intval($par[$i+1]) : urldecode($par[$i+1]);
                }
            }
            if($p['pg']<1){ $p['pg']=1; }
            unset($colnum);
            $db = new AppDb($MAC['db']['server'],$MAC['db']['user'],$MAC['db']['pass'],$MAC['db']['name']);
                include(MAC_ROOT."/inc/timming/".$tfile);
        }
我简单的说明一下代码的意思,打开xml并解析然后赋值与指定变量,最后判断我们请求的参数m是否与xml中的名称匹配，如果匹配则进入if进行文件包含。
图案说明


我这里拿txt试试,jpg神马的不用我说了

查看完整版本: mac cms拿shell第二弹