PHPCMS V9 (plugin.php)本地文件包含漏洞hellxman

影響版本:

PHPCMS V9.1.8 (20111014)

漏洞描述:

因爲文件/plugin.php對於用戶提交的變量未過濾，致使本地文件包含漏洞的產生。相關代碼以下：文件plugin.phpif(isset($_GET['id'])) {	list($identification, $filename,$action) = explode('-', $_GET['id']);	$filename = !empty($filename) ? $filename : $identification;	$action = !empty($action) ? $action : 'init';}$cache = getcache($identification,'plugins');變量$identification的值來源於$_GET['id']，並進入函數getcache中Getcache函數在文件/ phpcms/libs/functions/ global.func.php中function getcache($name, $filepath='', $type='file', $config='') {	pc_base::load_sys_class('cache_factory','',0);	if($config) {		$cacheconfig = pc_base::load_config('cache');		$cache = cache_factory::get_instance($cacheconfig)->get_cache($config);	} else {		$cache = cache_factory::get_instance()->get_cache($type);	}	return $cache->get($name, '', '', $filepath);}$cache->get()在文件/phpcms/libs/classes/cache_file.class.phppublic function get($name, $setting = '', $type = 'data', $module = ROUTE_M) {		$this->get_setting($setting);		if(empty($type)) $type = 'data';		if(empty($module)) $module = ROUTE_M;		$filepath = CACHE_PATH.'caches_'.$module.'/caches_'.$type.'/';		$filename = $name.$this->_setting['suf'];		if (!file_exists($filepath.$filename)) {			return false;		} else {		    if($this->_setting['type'] == 'array') {		    	$data = @require($filepath.$filename);最終$_GET['id']變量變爲$filename的一部分

測試方法:

本站提供程序(方法)可能帶有***性,僅供安全研究與教學之用,風險自負!

   
   
   
   

    
    
    
    
 
    
    
    
    
http://hellxman.blog.51cto.com/phpcms/plugin.php?id=可控文件名-1-1: