Cmseasy v5.5 getshell 0day simple analysis

 
Yesterday, we found that someone exposed the cmseasy v5.5 Arbitrary File Upload Vulnerability with exp. This vulnerability allows you to directly upload webshell and other malicious files, which is extremely harmful and no patches have been released yet. Here, we will perform a simple vulnerability analysis.

The entry file is located:

Editor/dialog/imageuser_mt_mt.php/index. php? Case = user & act = log:


 

On this page, you can upload any file to the server.

Check the imageuser_mt_mt.php code:

$ _ GET = array ('case' => 'user', 'ac' => 'fckupload ');
Include_once dirname (_ FILE __)))). '/index. php'; contains index. php specifies the case and act, because the files for cmseasy to implement each function are under the \ lib \ default \ directory. We will find the user_act.php file under this directory and locate the fckupload function:

 

Function fckupload_action (){
$ Uploads = array ();
If (is_array ($ _ FILES )){
$ Upload = new upload ();
Foreach ($ _ FILES as $ name => $ file ){
$ Uploads [$ name] = $ upload-> run ($ file );
}
$ This-> view-> uploads = $ uploads;
}
$ This-> render ('../admin/system/fckupload. php ');
Exit;
} Enter the run () function (In \ lib \ tool \ front_class.php ):

 

 

class upload {    public $path;    public $type=array('jpg','gif','png','doc','flv','rar');    public $max_size=2048000;    public $min_size=0;    public $dir='images';    function run($attachment) {        $this->max_size=config::get('upload_max_filesize') * 1024000;        if (!isset($this->url_pre))            $this->url_pre='upload/'.$this->dir.'/'.date('Ym');        $this->path=ROOT.'/'.$this->url_pre;        tool::mkdir($this->path);        if (!$attachment['name']) {            return false;        }        $new_name=$new_name_gbk=str_replace('.','',Time::getMicrotime()).'.'.end(explode('.',$attachment['name']));        $content=file_get_contents($attachment['tmp_name']);        if (!front::checkstr($content)) {            return false;        }        if (strlen($content) >$this->max_size) {            return false;        }        if (!$new_name ||!preg_match('/\.(jpg|gif|png|bmp)$/',$new_name)) {                    return false;        }        move_uploaded_file($attachment['tmp_name'],$this->path.'/'.$new_name_gbk);        $this->save_path=$this->path.'/'.$new_name_gbk;        if ($_GET['site'] != 'default') {            $ftp=new nobftp();            $ftpconfig=config::get('website');            $ftp->connect($ftpconfig['ftpip'],$ftpconfig['ftpuser'],$ftpconfig['ftppwd'],$ftpconfig['ftpport']);            $ftperror=$ftp->returnerror();            if ($ftperror) {                exit($ftperror);            }            else {                $ftp->nobchdir($ftpconfig['ftppath']);                $ftp->nobput($ftpconfig['ftppath'].'/'.$this->url_pre.'/'.$new_name,$this->save_path);            }        }        return $this->url_pre.'/'.$new_name;    }}

At the beginning of the class, we can see that the allowed upload type is public $ type = array ('jpg ', 'gif', 'png', 'Doc', 'flv ', 'rar ');. However, it is not used in subsequent processing. The uploaded temporary file is saved to the corresponding directory through move_uploaded_file.

The entire process is obviously no longer obvious, and the vulnerability is more like a hidden backdoor left by others ..

Finally, patch suggestions are provided:

In the \ lib \ tool \ front_class.php file, add the following statement at the top of the move_uploaded_file function with around 2,665th rows:

If (! $ New_name |! Preg_match ('/\. (jpg | gif | png | bmp) $/', $ new_name )){
Return false;
}