代码审计-Pluck CMS 后台代码执行漏洞
admin.php
入口:
后台action=editpage
,此时包含进data/inc/editpage.php
可以进行文章编辑:
editpage.php
# save file写入php文件:
对post传递的title
和content
等参数直接调用save_page
函数:
sanitize
函数对单引号进行过滤,防止二次转义绕过:
function save_file($file, $content, $chmod = 0777) {
$data = fopen($file, 'w');
//If it's an array, we have to create the structure.
if (is_array($content) && !empty($content)) {
$final_content = '<?php'."\n";
foreach ($content as $var => $value) {
$final_content .= '$'.$var.' = \''.$value.'\';'."\n";
}
$final_content .= '?>';
fputs($data, $final_content);
}
else
fputs($data, $content);
fclose($data);
if ($chmod != FALSE)
chmod($file, $chmod);
}
静有所思,思有所想
------------------------------------------------------------------------------------
mail: 779783493@qq.com