When we download source file,we can found the file PbootCMSDoc.CHM in Absolute directory.
PbootCMSDoc.CHM is a Development Manual .
So we can found this:
It's mean that we can use the php code in {pboot:if(php code)}{/pboot:if} IF label.
Vulnerability file :\apps\home\controller\ParserController.php
about the IF label code at 1273-1300 lines
The key point at 1283 line
The eval() can execute the php code through the IF Label {pboot:if(php code)}{/pboot:if}.
And Function parserIfLabel() have no use filter function before using eval().
So one more thing is finding a place to use the IF label {pboot:if(php code)}{/pboot:if}
we found two site whice insert the php code.
-
First site
http://127.0.0.1/index.php/About/6.html
-
Second site
http://127.0.0.1/admin.php/Site/index.html
-
result:
