xercms \XerCMS\Services\admin\member.php the background file contains any SQL statement execution vulnerability

ID SSV:92675
Type seebug
Reporter Anonymous
Modified 2017-02-13T00:00:00


In the D:\phpStudy\WWW\xercms\XerCMS\Services\admin\forms. in php updateTemplate()function

function updateTemplate() { $sname = g('sname');$data = stripslashes(p('content')); file_put_contents(INC.' Data/forms/template/'.$ sname.'. htm',$data); $this->tips('finish',dreferer()); } You can see

file_put_contents(INC.' Data/forms/template/'.$ sname.'. htm',$data); Write the file name$snamecan be controlled, the Write of the contents of the $datajust stripslashes, can also be controlled, but the extension is html, we first write the code into the html file, following the use of point is included in the html file, the result can be getshell The use of points in D:\phpStudy\WWW\xercms\XerCMS\Services\admin\member. in php editmember function

`` function editmember() { $id = int1(g('id'));$model = g('model','personal'); $member = memberdata($id);$member = array_merge($member,i('m. member')->getProperty($id,$model));
the include_once($this->tpl('header.htm')); the include_once($this->tpl('../../../Data/member/model/template/'.$ model.'. htm'));

`` You can see here

the include_once($this->tpl('../../../Data/member/model/template/'.$ model.'. htm')); $model variables can be controlled, can be included before we construct the html file, resulting getshell

The second getshel method is simple, the backend can be any implementation of SQL statement, that has not been castrated, that's not reasonable. The chopper is connected to