[Code audit]yxcms from pseudo-XSS to Getshell

0x00 Preface

This article starts in the circle, here as a record.

The entire use of the chain is more interesting to construct, but the actual penetration of the odds are relatively few.

This is the YXCMS 1.4.6 version, should be the last version of it?

0x01 from any file removal vulnerability speaking

Yxcms after tinkering, the front of some holes are dug almost, some digging no effect, go backstage. Back-end protection is relatively lax.
An arbitrary file deletion vulnerability was found.

/protected/apps/admin/controller/filescontroller.php

 Public functiondel () {$dirs=in ($_get[' FName ']); $dirs=Str_replace(‘,‘,‘/‘,$dirs); $dirs=root_path. ' Upload '.$dirs; if(Is_dir($dirs) {Del_dir ($dirs);Echo1;} ElseIf(file_exists($dirs)){         if(unlink($dirs))Echo1; }Else Echo' File does not exist '; }

The code is very simple, receive file name, stitching path, determine whether the file exists, delete directly. No filtering.

Background most of the requests are CSRF protection, but some are not, such as the deletion of files here.

Then we naturally think of is csrf, send a link to the administrator, remove Install.lock to reload, and then Getshell.

But it's too big to be found by the administrator.

In fact, we just want to get the administrator's permission, there is no other way?

0x02 easier approach: Session fixation vulnerability

A brief introduction to the session fixed vulnerability, session fixed the most core of the hole should be the program using the session as the authentication method, but also released the session_id settings, and set session_id in Session_starts () After execution, session_id specifies which session the backend uses in the form of Key/value.

There is such a scene, when the administrator login, the program generates an authentication session, and at this time the session is not specified session_id. If there is an interface that allows us to specify session_id, then we can set up a session_id to connect to this authenticated session.

Construct a link for the request settings session_id let the administrator click, then we have the administrator's permission. (CSRF)

After the attack succeeds, how to set up our session_id?

This is something that we often see on the front end.

Phpsessid=fdpmos0quo6o7rq69h6v1u6i50;

Once the attack is successful, set it up and PHPSESSID=你自己设置的session_id then access the background with this cookie request.

YXCMS also exists session fixed vulnerability, see file protected\include\lib\common.function.php

functionSession$name= ",$value= ') {//Session Fixed    if(Empty($name)){        return $_session; }    $sessionId= Request (' Request.sessionid '); if(!Empty($sessionId)){//is not empty, set the session_id        session_id($sessionId); }    if(!isset($_session) ) {session_starts (); }    if($value= = = ""){        $session=$_session[$name]; }Else if($value==NULL){        unset($_session[$name]); }Else{        $session=$_session[$name] =$value; }    return $session;}

Here, a request is received with a parameter named SessionID, which is set to session_id.
Take a look back at the call of the session method.

User access to background-related pages->> login and permission check-Call Auth class for check

Follow up the check method of the Auth class

Initialize the session first, and then call the Checklogin method to determine if there is a login.

Static  Public function Checklogin ()    {        $groupid=session (self::$config[' Auth_session_prefix ']. ' GroupID ');         if (! Empty ($groupid))         return true ;         Else        return false ;    }

The session method is called in Checklogin.
Then our entire call chain is clear.

Request background any need to authenticate the page will call the session () method, and SessionID receive request method, then we just let the login admin click like this link, you can get the background permissions.

Http://demo.yxcms.com/index.php?r=admin/index/index&sessionid=123test

The best way to get an administrator to sign up for your link is to find a background XSS.

0X03 Message Pseudo-XSS

Casually looking for a bit, at the front desk message found a pseudo-XSS, you can insert HTML tags.

Although it is not an XSS construct, it is sufficient. Using the IMG tag to launch a request is just enough for our session to be fixed.
Also a bit of a drawback is that in the actual scene, you left a message, how do you know when the administrator triggered it?

Is there any way to inform us at the first time?

Actually, there is.
We can put a jump script on our public network server. Then write a script on the server to access the Jump script (the script name can be set to a complex point, in case the scanner scan) of the server, and the first time to send an email to notify us.

0x04 Backstage Getshell
Finally to the backstage Getshell, get the authority after actually very simple.
There is an edit template in the background where you can getshell directly.

Edit Add shell code, visit homepage, direct Getshell.

0X05 Summary

Through the front desk message function, constructs a pseudo-XSS in the backstage, uses the IMG tag to initiate the CSRF session fixed request, in the middle uses the jump script to record in time obtains the authority the server, the login backstage uses the template editing function to be able to easily getshell.

There's fun!

[Code audit]yxcms from pseudo-XSS to Getshell