MediPro Latest Version injection vulnerability and background get shell

MediPro Latest Version injection vulnerability and background get shell

MediPro has multiple cms websites with loose filtering and injection vulnerabilities. The background can bypass logon and get shell to obtain server permissions.

/* Er, the official website uses zend-encrypted code by default and needs to be decrypted. */

Baidu is still used by many websites ..

1. Background bypass login Vulnerability

If magic_quotes_gpc is not enabled on the server, log on to the system directly. The background is generally www.xxxx.com/adm/

Username: webmaster 'or 1 = 1 or 'A' = 'A /*

Password: Enter the verification code.



In addition, after magic_quotes_gpc is escaped, the old hacker tried to use methods like % d5 % 27, such:

Username user = admin % d5 % 27 or 1 = 1 limit -- this class

Although the admincheck () function is also bypassed, the user value uploaded by the user is directly used in subsequent setcookies. The result cannot be used in subsequent permission verification, continue.





2. registration page Injection Vulnerability

Where do I register a user? regform. php? Membertypeid = 10, there is an injection vulnerability. The problem code appears on the registration page: regform. php, where $ membertypeid is not filtered, and $ membertypeid is directly used by the subsequent functions.



When escape is not enabled:

Http: // website/regform. php? Membertypeid = 10 WHERE 1 = 2 union select 1, 'Password', "user", 0, 'user', from cms_admin t limit --



If magic_quotes_gpc is enabled and the double quotation marks of "user" are escaped, there is also a relatively cumbersome method:

The general method is to union the cms_member_regform_10 table and display the values in the formcolname field (note: this field is the registered item field. This is required because the items on the registration page are dynamically generated. Otherwise, the Administrator account and password cannot be displayed.

For details, see the illustration below.



3. get shell in the background

For example, in/adm/temp.inc.php, the Code filters only the content of the uploaded file, such as ". php. xx ", if you are using windows IIS, you can also change the suffix. asp ,. asa, etc;
 

if ( substr( $fname, 0 - 4 ) == ".php" || substr( $fname, 0 - 4 ) == ".exe" ){            err( $strDownNotice11, "", "" );  }

After logging on to the background, access www.xxxxx.com/adm/tempftp.php directly? Fold = default

Upload a sentence: 4. php. xx



Upload path: www.xxxxx.com/templates/default/4.php.xx



Kitchen knife open circuit ~~



Note: The 4. php. xx used for testing has been deleted.

Solution:

Filter parameters to restrict upload.