Easy enterprise CMS specific case Getshell vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201560309
Type myhack58
Reporter 佚名
Modified 2015-03-25T00:00:00


Easy enterprise CMS(yiqicms is the domestic well-known marketing enterprise built Station system, based on PHP+MySQL development. Free and open source, on SEO more friendly. Recently, Ali's patch monitoring platform Diviner monitoring to yiqicms in a particular case is Getshell vulnerabilities.

0x01 background

The emergence of the vulnerability of the program from the yiqicms1. 8 The following version, in some Web-kit can trigger Getshell vulnerabilities.


0x02 analysis

<? php

error_reporting(E_ALL ^ E_NOTICE);

header("content-type:text/html; charset=utf-8");

require_once '../include/file.class.php'

$step = $_GET["step"];

$action = $_POST["action"];

if($action == "save") //not using the install. lock similar mechanism the authentication mechanism, enter the installation process, may lead to a reload


$dbhost = $_POST["dbhost"];

$dbname = $_POST["dbname"];

$dbuser = $_POST["dbuser"];

$dbpass = $_POST["dbpass"];

$dbprefix = $_POST["dbprefix"];

$adminuser = $_POST["username"];

$adminpass = $_POST["userpass"];



.... Omitted several lines

$dbpass= "";


$configsource = "<? php \n\$cfg_db_host = \“$dbhost\”;\n\n". $dbhost using a”number, through the implantation of a special password or database name of the incoming malicious data to the$configsource

[1] [2] next