#漏洞分析
<?php
!defined('IN_MYMPS') && exit('FORBIDDEN');
require_once MYMPS_DATA."/config.db.php"; require_once MYMPS_INC."/db.class.php";
$row = $db -> getRow("SELECT userpwd,if_corp,id FROM `{$db_mymps}member` WHERE userid = '$userid'");
$password = $row['userpwd'];
$uid = $row['if_corp'] == 1 ? $row['id'] : false;
include MYMPS_ROOT.'/template/box/member.html';
?>
这里通过userid查询出member的密码,底部包含了member模版,看看模版是否引 用内容
a<?php
$admindir = $admindir ? $admindir : '/admin';
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transional//EN" "hp://
1
www.w3.org/TR/xhtml1/DTD/xhtml1-transional.dtd">
<html xmlns="hp://www.w3.org/1999/xhtml" > <head>
<meta hp-equiv="Content-Type" content="text/html; charset=gbk" />
<meta hp-equiv="Content-Language" content="zh-CN"/>
<tle>powered by mymps</tle>
<link href="<?=$mymps_global['SiteUrl']?>/template/global/mymps.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div style="text-align:le; padding:10px 20px">
您选中了会员» <b style="color:red"><?=$userid?></b><br /><div style="border-top:1px #eee solid; margin-top:10px; padding-top:10px;"> <a href="..<?=$admindir?>/index.php?do=power&userid=<?=$userid? >&password=<?php echo $password; ?>" target="_blank">进入会员控制面板</a> | <?php if($uid){?><a href="<?=$mymps_global['SiteUrl']?>/store.php?uid=<?= $uid?>" target="_blank">进入ta的店铺</a> | <?php }else{?><a href="<?= $mymps_global['SiteUrl']?>/space.php?user=<?=$userid?>" target="_blank">进入 ta的空间</a> | <?php }?><a href="..<?=$admindir?>/pm.php?userid=<?=$userid? >" target="framRight">给ta发短消息</a> | <a href="..<?=$admindir?>/ informaon.php?keywords=<?=$userid?>&show=userid" target="framRight">ta发 布的分类信息</a></div>
</div>
2
</body>
</html>
这里泄露了后台路径并且引用了由userid查询出来的password,所以我们只需要保 证userid可控并且可以调用到这个文件就行
$_GET = mhtmlspecialchars($_GET);
$part = isset($_REQUEST['part']) ? trim(mhtmlspecialchars($_REQUEST['part'])) : '';
$acon = isset($_REQUEST['acon']) ? trim(mhtmlspecialchars($_REQUEST['acon'])) : '';
$ac = isset($_REQUEST['ac']) ? trim(mhtmlspecialchars($_REQUEST['ac'])) : ''; $url = isset($_REQUEST['url']) ? trim(mhtmlspecialchars($_REQUEST['url'])) : '';
$userid = isset($_REQUEST['userid']) ? trim(mhtmlspecialchars($_REQUEST['userid'])) : '';
$password = isset($_GET['password']) ? trim($_GET['password']) : ''; $admindir = isset($_GET['admindir']) ? trim($_GET['admindir']) : '/admin';
$report_type = isset($_POST['report_type']) ? trim(mhtmlspecialchars($_POST['report_type'])) : '';
$id = isset($_REQUEST['id']) ? intval($_REQUEST['id']) : ''; $uid = isset($_GET['uid']) ? intval($_GET['uid']) : '';
! in_array($part,array('upgrade','shoucang','wap_shoucang','report','do_report','infor
3
maon','checkmemberinfo','sp_testdirs','adminmenu','member','memberinfopost','a dversement','adversementview','jswizard','custom','iptoarea','goodsorder','score_ coin','credits_up','howtogetscore','seecontact','delinfo','qiandao')) && exit('FORBIDDEN');
include MYMPS_INC.'/box/'.$part.'.php'; ```
第一确认的情况是userid可控,第二步确认到part是用于来控制加载到方法,我们 可以看⻅array中有我们刚刚存在的menber文件
#本地复现
![image|690x423](upload://xhbCq4jdxeYSbhYLeD83DpWuSOC.png)
![image|690x84](upload://gfTnv623DmisGonlC8MFq00Tc4c.png)