PHPCMS V9 version of the background design flaws lead to arbitrary code execution vulnerability

2016-09-18T00:00:00
ID SSV:92422
Type seebug
Reporter Root
Modified 2016-09-18T00:00:00

Description

Source link: http://www.cnbraid.com/

0x01 background

Since the default after installation requires Super administrator privileges, so the vulnerability is very tasteless, but the feeling should be in other cms, there are also, so the main share under the mining idea~ PS: using the test environment is php5. 6(already removed gpc option)

0x02 vulnerability analysis

Vulnerability origins: site\phpsso_server\phpcms\modules\admin\system. php under the uc function:

<? php public function uc() { if (isset($_POST['dosubmit'])) { $data = isset($_POST['data']) ? $_POST['data'] : "; $data['ucuse'] = isset($_POST['ucuse']) && intval($_POST['ucuse']) ? intval($_POST['ucuse']) : 0; $filepath = CACHE_PATH.'configs'. DIRECTORY_SEPARATOR.'system.php'; $config = include $filepath; $uc_config = '<? php '."\ ndefine('UC_CONNECT', 'mysql');\n"; foreach ($data as $k => $v) { $old[] = "'$k'=>'". (isset($config[$k]) ? $config[$k] : $v)."',"; $new[] = "'$k'=>'$v',"; $uc_config .= "define('". strtoupper($k)."', '$v');\n"; } $html = file_get_contents($filepath); $html = str_replace($old, $new, $html); $uc_config_filepath = CACHE_PATH.'configs'. DIRECTORY_SEPARATOR.'uc_config.php'; @file_put_contents($uc_config_filepath, $uc_config); @file_put_contents($filepath, $html); $this->db->insert(array('name'=>'ucenter', 'data'=>array2string($data)), 1,1); showmessage(L('operation_success'), HTTP_REFERER); } $data = array(); $r = $this->db->get_one(array('name'=>'ucenter')); if ($r) { $data = string2array($r['data']); } include $this->admin_tpl('system_uc'); } ... The form of data$data in accordance with the key value of the traverse and in the following form stored in the$uc_config variables: $uc_config .= "define('". strtoupper($k)."', '$v');\n";

The above is just the$k variable for the letters turn uppercase processing, and then written to the yoursite\phpsso_server\caches\configs\uc_config.phpin, so here should be able to construct the word Trojan is written to the uc_config. php, to get a webshell in.

0x03 vulnerability proof

通过观察uc_config.php we construct the word Trojan is as follows the review element or agent of the modified packet can be: the

Get the shell

This article by HackBraid finishing the summary, the original link: http://www.cnbraid.com/