Uchome & amp; lt; = 2.0 background GetWebShell Vulnerability

Affected Versions:
Ucenter Home 2.0 (latest official version) + Ucenter 1.5 (latest official version) vulnerability description:
The javascript. PHP file in uchome <= 2.0 has a code execution vulnerability, because the quotation marks are improperly used during regular expression matching, and PHP code can be submitted and executed at will.

In Php, single quotes and double quotes are different:
"" Fields in double quotation marks are interpreted by the compiler and then output as HTML code.
The single quotes are output directly without explanation.

Here, the second value after regular expression matching is in double quotation marks, resulting in code execution.

The Js. php code is as follows:
Include template ("data/blocktpl/$ id ");

$ Obcontent = ob_get_contents ();
Obclean ();

$ S = array ("/(r | n)/", "/<divs + class =" pages ">. +? </Div>/is ","/s + (href | src) = "(. + ?) "/Ie ");
$ R = array ("n", js_mkurl ("1", "2"); // Code Execution

$ Content =;
If ($ obcontent ){
$ Obcontent = preg_replace ($ s, $ r, $ obcontent );
$ Lines = explode ("n", $ obcontent );
Foreach ($ lines as $ line ){
$ Line = addcslashes (trim ($ line ),/);
$ Content. = "document. writeln ($ line); n ";
}
} Else {
$ Content. = "document. writeln (no data )";
}
<* Reference
Http://www.5luyu.cn/article/xinqing/705.htm
*>
Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk! First, I installed a brand new uchome locally .. The premise of this vulnerability is to first obtain the background permissions. You can obtain the administrator password and enter the background through social engineering, bypass, sniffing, and Xss.
Start admincp. php? Ac = block & op = add, select the first to add a module. Enter the Template Name and other default values.

Security suggestions:
Patch officially released