[Code Audit]phpshe Open Source Mall backstage two arbitrary files deleted to Getshell

0x00 background

This system has been in the examination for a long time, the front desk can not judge why. Front desk restrictions are done very dead.

The data in the warehouse is processed by Mysql_real_escape_string,htmlspecialchars.

Two injections were not found, and the logical loophole was not found. Aside from the actual use, simply talk about two arbitrary file Deletion vulnerability, the Getshell method after getting backstage.

0x01 Phpshe Program Introduction

Phpshe is an open-source mall program, the program in the foreground storage place all use the Pe_dbhold function (Mysql_real_escape_string,htmlspecialchars filter), although the use of the global variable registration, but the variable is divided.

Added a prefix for each of the different requests. So that the variable can not be covered by the request, while the bottom of the parameter value of the storage is enclosed in single quotation marks.

So injection is impossible, plus htmlsepcialchars filter, even XSS did not find one.

The uploading aspect uses the white list, the limit dead suffix, plus the file name renames, uses the time to add the large range random number MD5 method.

The front desk is introduced here, to talk about some backstage situation.

Backstage most of the CSRF defense, only a small number of not (some query operations, no practical effect), almost all background pages are injected, but because the program is not open error.

So there is no way to get the absolute path through an error, the injection in the background is actually useless, there is no ultra vires situation (through the authentication file, loading backstage module).

Look at the dark clouds. The history of the program in the image of the loophole is also very poor, the security of the program did a good job.

Then let's talk about two background arbitrary file deletion, with and take the shell.

0x02 background Two arbitrary files deleted to Getshell

1, File module\admin\db.php (database operation related)

Without any filtering, the direct stitching path is removed. But there is CSRF defense.

2, file module\admin\moban.php (template operation related)

is also equivalent to no filtering, there is CSRF token defense.

Then look at the logic of the installation file.

The configuration parameters are written to the configuration file, written directly, without any filtering, can be directly getshell by the way of reloading. (The action is too big)

0X03 Summary

Looked at this program for a long time, did not judge what to come, write a summary of it!

[Code Audit]phpshe Open Source Mall backstage two arbitrary files deleted to Getshell