代码审计-Pluck CMS 后台代码执行漏洞

admin.php 入口:

后台action=editpage,此时包含进data/inc/editpage.php可以进行文章编辑:

editpage.php# save file写入php文件:

对post传递的titlecontent等参数直接调用save_page函数:

sanitize函数对单引号进行过滤,防止二次转义绕过:

function save_file($file, $content, $chmod = 0777) {
	$data = fopen($file, 'w');

	//If it's an array, we have to create the structure.
	if (is_array($content) && !empty($content)) {
		$final_content = '<?php'."\n";
		foreach ($content as $var => $value) {
			$final_content .= '$'.$var.' = \''.$value.'\';'."\n";
		}
		$final_content .= '?>';

		fputs($data, $final_content);
	}

	else
		fputs($data, $content);

	fclose($data);
	if ($chmod != FALSE)
		chmod($file, $chmod);
}

posted @ 2019-09-14 02:33  卿先生  阅读(432)  评论(0编辑  收藏  举报