PHP代码审计6-实战漏洞挖掘-xdcms用户注册页面漏洞
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了PHP代码审计6-实战漏洞挖掘-xdcms用户注册页面漏洞相关的知识,希望对你有一定的参考价值。
xdcms
源码:xdcms v2.0.8
1、配置 【一直下一步(仅为测试)】
#数据库账号root,密码为空;管理员账号/密码:xdcms/xdcms
#登录后台
2、查看后台登录页面的配置项【xdcms/admin/index.php】
<script>location.href="../index.php?m=xdcms&c=login";</script>
m:一个模块;c:一个操作
3、查看主页面源码【xdcms/index.php】
<?php
if(!file_exists("data/config.inc.php")){header("location:install/index.php");exit();} //判断是否存在数据配置文件,若无,则跳转到安装页面
require dirname(__FILE__).\'/system/common.inc.php\'; //包含程序配置文件【system/common.inc.php】
?>
4、查看程序配置文件【/system/common.inc.php】
1 <?php 2 define(\'CMS_URL\',\'http://127.0.0.1/xdcms/\'); 3 define(\'TP_FOLDER\',\'xdcms\'); 4 define(\'TP_CACHE\',false); 5 ?>
<?php
error_reporting(E_ALL & ~E_NOTICE);
date_default_timezone_set(\'Asia/Shanghai\');
define(\'IN_CMS\',\'true\');
require dirname(__FILE__).\'/xdcms.inc.php\'; //加载了xdcms.inc.php
//系统目录
define(\'SYS_DIR\',\'system\');
define(\'TP_DIR\',\'templates\');
define(\'CMS_PATH\',substr(dirname(__FILE__),0,-strlen(SYS_DIR)));
define(\'SYS_PATH\',CMS_PATH.SYS_DIR."/");
define(\'DATA_PATH\',CMS_PATH.\'data/\');
define(\'LIB_PATH\',SYS_PATH.\'libs/\');
define(\'MOD_PATH\',SYS_PATH.\'modules/\');
define(\'FUN_PATH\',SYS_PATH.\'function/\');
define(\'TP_PATH\',SYS_PATH.TP_DIR."/");
//缓存目录
define(\'CACHE_PATH\',CMS_PATH.\'cache/\');
define(\'CACHE_TP_PATH\',CACHE_PATH.\'cache_template/\');
define(\'CACHE_SYS_PATH\',CACHE_PATH.\'cache_sys/\');
//附件目录
define(\'UPLOAD_PATH\', CMS_PATH.\'uploadfile/\'); //附件保存物理路径
1 <?php 2 3 /** 4 * Project: Smarty: the PHP compiling template engine 5 * File: Smarty.class.php 6 * SVN: $Id: Smarty.class.php 4074 2011-04-22 02:19:14Z uwe.tews@googlemail.com $ 7 * 8 * This library is free software; you can redistribute it and/or 9 * modify it under the terms of the GNU Lesser General Public 10 * License as published by the Free Software Foundation; either 11 * version 2.1 of the License, or (at your option) any later version. 12 * 13 * This library is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 * Lesser General Public License for more details. 17 * 18 * You should have received a copy of the GNU Lesser General Public 19 * License along with this library; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 * For questions, help, comments, discussion, etc., please join the 23 * Smarty mailing list. Send a blank e-mail to 24 * smarty-discussion-subscribe@googlegroups.com 25 * 26 * @link http://www.smarty.net/ 27 * @copyright 2008 New Digital Group, Inc. 28 * @author Monte Ohrt <monte at ohrt dot com> 29 * @author Uwe Tews 30 * @package Smarty 31 * @version 3.0.8 32 */ 33 34 /** 35 * define shorthand directory separator constant 36 */ 37 if (!defined(\'DS\')) { 38 define(\'DS\', DIRECTORY_SEPARATOR); 39 } 40 41 /** 42 * set SMARTY_DIR to absolute path to Smarty library files. 43 * Sets SMARTY_DIR only if user application has not already defined it. 44 */ 45 if (!defined(\'SMARTY_DIR\')) { 46 define(\'SMARTY_DIR\', dirname(__FILE__) . DS); 47 } 48 49 /** 50 * set SMARTY_SYSPLUGINS_DIR to absolute path to Smarty internal plugins. 51 * Sets SMARTY_SYSPLUGINS_DIR only if user application has not already defined it. 52 */ 53 if (!defined(\'SMARTY_SYSPLUGINS_DIR\')) { 54 define(\'SMARTY_SYSPLUGINS_DIR\', SMARTY_DIR . \'sysplugins\' . DS); 55 } 56 if (!defined(\'SMARTY_PLUGINS_DIR\')) { 57 define(\'SMARTY_PLUGINS_DIR\', SMARTY_DIR . \'plugins\' . DS); 58 } 59 if (!defined(\'SMARTY_RESOURCE_CHAR_SET\')) { 60 define(\'SMARTY_RESOURCE_CHAR_SET\', \'UTF-8\'); 61 } 62 if (!defined(\'SMARTY_RESOURCE_DATE_FORMAT\')) { 63 define(\'SMARTY_RESOURCE_DATE_FORMAT\', \'%b %e, %Y\'); 64 } 65 66 /** 67 * register the class autoloader 68 */ 69 if (!defined(\'SMARTY_SPL_AUTOLOAD\')) { 70 define(\'SMARTY_SPL_AUTOLOAD\', 0); 71 } 72 73 if (SMARTY_SPL_AUTOLOAD && set_include_path(get_include_path() . PATH_SEPARATOR . SMARTY_SYSPLUGINS_DIR) !== false) { 74 $registeredAutoLoadFunctions = spl_autoload_functions(); 75 if (!isset($registeredAutoLoadFunctions[\'spl_autoload\'])) { 76 spl_autoload_register(); 77 } 78 } else { 79 spl_autoload_register(\'smartyAutoload\'); 80 } 81 82 /** 83 * This is the main Smarty class 84 */ 85 class Smarty extends Smarty_Internal_Data { 86 /** 87 * constant definitions 88 */ 89 // smarty version 90 const SMARTY_VERSION = \'Smarty-3.0.8\'; 91 //define variable scopes 92 const SCOPE_LOCAL = 0; 93 const SCOPE_PARENT = 1; 94 const SCOPE_ROOT = 2; 95 const SCOPE_GLOBAL = 3; 96 // define caching modes 97 const CACHING_OFF = 0; 98 const CACHING_LIFETIME_CURRENT = 1; 99 const CACHING_LIFETIME_SAVED = 2; 100 /** modes for handling of "<?php ... ?>" tags in templates. **/ 101 const PHP_PASSTHRU = 0; //-> print tags as plain text 102 const PHP_QUOTE = 1; //-> escape tags as entities 103 const PHP_REMOVE = 2; //-> escape tags as entities 104 const PHP_ALLOW = 3; //-> escape tags as entities 105 // filter types 106 const FILTER_POST = \'post\'; 107 const FILTER_PRE = \'pre\'; 108 const FILTER_OUTPUT = \'output\'; 109 const FILTER_VARIABLE = \'variable\'; 110 // plugin types 111 const PLUGIN_FUNCTION = \'function\'; 112 const PLUGIN_BLOCK = \'block\'; 113 const PLUGIN_COMPILER = \'compiler\'; 114 const PLUGIN_MODIFIER = \'modifier\'; 115 116 /** 117 * static variables 118 */ 119 // assigned global tpl vars 120 static $global_tpl_vars = array(); 121 122 /** 123 * variables 124 */ 125 // auto literal on delimiters with whitspace 126 public $auto_literal = true; 127 // display error on not assigned variables 128 public $error_unassigned = false; 129 // template directory 130 public $template_dir = null; 131 // default template handler 132 public $default_template_handler_func = null; 133 // compile directory 134 public $compile_dir = null; 135 // plugins directory 136 public $plugins_dir = null; 137 // cache directory 138 public $cache_dir = null; 139 // config directory 140 public $config_dir = null; 141 // force template compiling? 142 public $force_compile = false; 143 // check template for modifications? 144 public $compile_check = true; 145 // locking concurrent compiles 146 public $compile_locking = true; 147 // use sub dirs for compiled/cached files? 148 public $use_sub_dirs = false; 149 // compile_error? 150 public $compile_error = false; 151 // caching enabled 152 public $caching = false; 153 // merge compiled includes 154 public $merge_compiled_includes = false; 155 // cache lifetime 156 public $cache_lifetime = 3600; 157 // force cache file creation 158 public $force_cache = false; 159 // cache_id 160 public $cache_id = null; 161 // compile_id 162 public $compile_id = null; 163 // template delimiters 164 public $left_delimiter = "{"; 165 public $right_delimiter = "}"; 166 // security 167 public $security_class = \'Smarty_Security\'; 168 public $security_policy = null; 169 public $php_handling = self::PHP_PASSTHRU; 170 public $allow_php_tag = false; 171 public $allow_php_templates = false; 172 public $direct_access_security = true; 173 public $trusted_dir = array(); 174 // debug mode 175 public $debugging = false; 176 public $debugging_ctrl = \'NONE\'; 177 public $smarty_debug_id = \'SMARTY_DEBUG\'; 178 public $debug_tpl = null; 179 // When set, smarty does uses this value as error_reporting-level. 180 public $error_reporting = null; 181 // config var settings 182 public $config_overwrite = true; //Controls whether variables with the same name overwrite each other. 183 public $config_booleanize = true; //Controls whether config values of on/true/yes and off/false/no get converted to boolean 184 public $config_read_hidden = false; //Controls whether hidden config sections/vars are read from the file. 185 // config vars 186 public $config_vars = array(); 187 // assigned tpl vars 188 public $tpl_vars = array(); 189 // dummy parent object 190 public $parent = null; 191 // global template functions 192 public $template_functions = array(); 193 // resource type used if none given 194 public $default_resource_type = \'file\'; 195 // caching type 196 public $caching_type = \'file\'; 197 // internal cache resource types 198 public $cache_resource_types = array(\'file\'); 199 // internal config properties 200 public $properties = array(); 201 // config type 202 public $default_config_type = \'file\'; 203 // cached template objects 204 public $template_objects = null; 205 // check If-Modified-Since headers 206 public $cache_modified_check = false; 207 // registered plugins 208 public $registered_plugins = array(); 209 // plugin search order 210 public $plugin_search_order = array(\'function\', \'block\', \'compiler\', \'class\'); 211 // registered objects 212 public $registered_objects = array(); 213 // registered classes 214 public $registered_classes = array(); 215 // registered filters 216 public $registered_filters = array(); 217 // registered resources 218 public $registered_resources = array(); 219 // autoload filter 220 public $autoload_filters = array(); 221 // status of filter on variable output 222 public $variable_filter = true; 223 // default modifier 224 public $default_modifiers = array(); 225 // global internal smarty vars 226 static $_smarty_vars = array(); 227 // start time for execution time calculation 228 public $start_time = 0; 229 // default file permissions 230 public $_file_perms = 0644; 231 // default dir permissions 232 public $_dir_perms = 0771; 233 // block tag hierarchy 234 public $_tag_stack = array(); 235 // flag if {block} tag is compiled for template inheritance 236 public $inheritance = false; 237 // generate deprecated function call notices? 238 public $deprecation_notices = true; 239 // Smarty 2 BC 240 public $_version = self::SMARTY_VERSION; 241 // self pointer to Smarty object 242 public $smarty; 243 244 /** 245 * Class constructor, initializes basic smarty properties 246 */ 247 public function __construct() 248 { 249 // selfpointer need by some other class methods 250 $this->smarty = $this; 251 if (is_callable(\'mb_internal_encoding\')) { 252 mb_internal_encoding(SMARTY_RESOURCE_CHAR_SET); 253 } 254 $this->start_time = microtime(true); 255 // set default dirs 256 $this->template_dir = array(\'.\' . DS . \'templates\' . DS); 257 $this->compile_dir = \'.\' . DS . \'templates_c\' . DS; 258 $this->plugins_dir = array(SMARTY_PLUGINS_DIR); 259 $this->cache_dir = \'.\' . DS . \'cache\' . DS; 260 $this->config_dir = \'.\' . DS . \'configs\' . DS; 261 $this->debug_tpl = \'file:\' . SMARTY_DIR . \'debug.tpl\'; 262 if (isset($_SERVER[\'SCRIPT_NAME\'])) { 263 $this->assignGlobal(\'SCRIPT_NAME\', $_SERVER[\'SCRIPT_NAME\']); 264 } 265 } 266 267 /** 268 * Class destructor 269 */ 270 public function __destruct() 271 { 272 } 273 274 /** 275 * fetches a rendered Smarty template 276 * 277 * @param string $template the resource handle of the template file or template object 278 * @param mixed $cache_id cache id to be used with this template 279 * @param mixed $compile_id compile id to be used with this template 280 * @param object $ |null $parent next higher level of Smarty variables 281 * @return string rendered template output 282 */ 283 public function fetch($template, $cache_id = null, $compile_id = null, $parent = null, $display = false) 284 { 285 if (!empty($cache_id) && is_object($cache_id)) { 286 $parent = $cache_id; 287 $cache_id = null; 288 } 289 if ($parent === null) { 290 // get default Smarty data object 291 $parent = $this; 292 } 293 // create template object if necessary 294 ($template instanceof $this->template_class)? $_template = $template : 295 $_template = $this->createTemplate ($template, $cache_id, $compile_id, $parent, false); 296 if (isset($this->error_reporting)) { 297 $_smarty_old_error_level = error_reporting($this->error_reporting); 298 } 299 // check URL debugging control 300 if (!$this->debugging && $this->debugging_ctrl == \'URL\') { 301 if (isset($_SERVER[\'QUERY_STRING\'])) { 302 $_query_string = $_SERVER[\'QUERY_STRING\']; 303 } else { 304 $_query_string = \'\'; 305 } 306 if (false !== strpos($_query_string, $this->smarty_debug_id)) { 307 if (false !== strpos($_query_string, $this->smarty_debug_id . \'=on\')) { 308 // enable debugging for this browser session 309以上是关于PHP代码审计6-实战漏洞挖掘-xdcms用户注册页面漏洞的主要内容,如果未能解决你的问题,请参考以下文章