Home > Cloud Computing > Cloud Security

Akcms Code Execution Vulnerability

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

The background template getshell of akcms dug up last week felt nothing new, and then carefully looked at the code and found a promising hole and code execution vulnerability, in addition, the problematic function is provided by the author to the website users for secondary development. That is to say, the problem is amplified to a greater extent.

0 × 01. Principle Analysis

The vulnerability mainly exists in the ak_if function in the include \ common. func. php file. Check the code first.

The variable $ variable in the eval function parameter is inserted into the function without any processing. The main purpose of ak_if function is to provide users with a simple interface for logical judgment. Compare this code in version 4.1.

It can be found that the eval function call statement is different. In versions earlier than 4.1.4, this function does not call the eval function. However, in 4.1.4, the author adds this statement to increase ak_if's judgment on complex logic.

This leads to arbitrary php code execution if you have control over the $ variable.

0 × 02. Vulnerability Verification

To reproduce the vulnerability, I downloaded the author's blog System Based on akcms2.4.2 and called this function in the \ cache \ templates \ % 7d%7d3%7d3a5c77%%comments.htm. php template.

After tracking the variables, we found that this template is used when the user replies to a question from the viewer. Therefore, to exploit this vulnerability, you need a background account that can reply to a viewer's question. For exploitation process

0 × 03. Summary

Vulnerability functions are provided to the website builder for expansion. If the builder uses the ak_if function to interact with the front-end user, the consequences will be unimaginable.

PS: The last time I wrote the akcms template vulnerability audit post, many kids shoes replied that the entire audit process should be written for reference. In fact, code auditing is a very boring process. Maybe you may have tried your best to read the source code for a week. At the end of the article, you will find that the original two or three sentences can be understood. In the past two days, I will summarize the process of code auditing, post a post, and share my methods with you.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More