PHP hole mining

After studying a cms program for three days, I did not find any vulnerabilities that can be exploited directly. These vulnerabilities are some of the best ones. They may be their own level of food. However, I recorded the whole hole digging process for your reference. If you have any questions or suggestions, add QQ Group 62512676 to discuss and learn.

0x1

This cms is from the webmaster's network, so I will build it and see the code,

This is the latest version, and I don't know if any of my predecessors have dug it, so I started to work.

First, read the code from the homepage,

Open several contained files, and open other contained files in sequence.

First, he defines some constants, so these are not required. The next step is to include them. The first one includes common. inc. php.

Let's take a look at common. inc. php.

I skipped other unimportant code and analyzed the key code location.

D

Do you see the foreach loop here? Here, there is a problem of variable overwrite. If the variable overwrite can be used, it is very useful. Maybe it is just getshell?

So the code here has to be carefully studied...

The following are some files.

/Introduce the configuration file

Require_once (WEB_INC. '/config. inc. php ');

// Introduce the Database Class

Require_once (WEB_INC. '/db. class. php ');

// Common functions

Require_once (WEB_INC. '/function. inc. php ');

// Basic model function

Require_once (WEB_INC. '/model. class. php ');

/* Session save path

$ SessionPath = WEB_ROOT. "/data/session ";

If (is_writeable ($ sessionPath) & is_readable ($ sessionPath ))

{

Session_save_path ($ sessionPath );

}

*/

// Session language

Session_start ();

Header ("Content-type: text/html; charset = UTF-8 ");

// Confirm correct installation and connect to the database

$ Install_check = '';

/*

Echo $ db_type. '<br/> ';

Echo $ host. '<br/> ';

Echo $ name. '<br/> ';

Echo $ pass. '<br/> ';

Echo $ table. '<br/> ';

Echo $ ut. '<br/> ';

*/

If (file_exists (WEB_DATA. 'Install. lock ')){

$ Db = new DB ($ db_type, $ host, $ name, $ pass, $ table, $ ut );

} Else {

$ Install_check = 'not installed ';

If (WEB_APP! = 'Install '){

Echo $ install_check;

Exit;

}

Contains some database configuration files, as well as some classes, as well as functional functions

So I skipped this, so there is no security risk.

Next is the file contained on the second homepage.

Forbiddenip. inc. php

Here is a forbidden IP Address

No problem.

Next, include (WEB_INC. 'close. inc. php ');

This file controls the opening and closing of this website.

Here

See? There are security risks here. I think everyone will say, where are the security risks ???

If $ sys ['isclose'] = 1, the array variable $ sys ['closeinfo'] is printed! If the array variables here are controllable, we will have a chance.

Let me take an example.

Here, $ sys is added to the bottom of this file.

Here, $ sys ['closeinfo'] is controlled by the background. If we modify it, then I can get webshell.

Then sys. inc. php becomes

So we can see that this is a tragedy, so we only need to go to the background... The website directly obtains webshell. This is vulnerability 1.

0x2

Next, the last Homepage contains files.

Include (WEB_INC. 'rootstart. inc. php ');

Let me analyze it in detail.

If the variables a and c do not exist, use the previously defined values,

This vulnerability also exists.

Therefore, both $ a and $ c are controllable.

Next is the in_array () function, which is compared from the array.

$ ControllerName here is $ c, and $ config ['modtype'] is previously defined, therefore, $ c is controlled in this $ config ['modtype,

So $

If the $ filepath file exists, it is included. $ action of $ filepath can be controlled by the user.

So here we can construct this include

It is also truncated. This situation is caused by gpc, but it can be used only when it is opened again./to break through and include it. win the next 256,

* More than 4000 off nix, I forgot about it.

So this is also a security risk!

0x3

Which of the following is

By default, include \ controller

Some files here are instantiated some classes

Then, mom, let's see

Here, an intval function blocks us, so it is impossible to inject these two parameters ....

Next, perform switch judgment on $.

First, the default value is list.

Which of the following statements can be used to query databases?

$ Where

Let's take a look at $ db-execute ().

This is in the Database class db. class. php.

Let's look at his writing method.

Next, this safesql is used to process our SQL statements. I think it is a bit similar to dedecms.

This method is very powerful and can be used to deal with many hackers... ()

You can study it carefully. I have just tried it, but it is still possible... if you are on the site in the future, you can add the above methods.

But he still has some problems here, such as the end

He wrote some error messages, because the error cannot be reported here (well, I can't tell you clearly. You can see the code here ),

Therefore, we can directly construct a $ log_file variable as php, then trigger the vulnerability with some error information, and write our malicious code into it.

This is the file after the trigger... so you can also ....

But the premise is that variables can be overwritten .....

Next is show.

The key variables here are also processed, so if you want to inject them, It's not realistic ....

In the middle, I omitted a lot of processes and did not analyze them, so I analyzed them at the front-end.

The next step is the background analysis.

0x4

The background is almost...

Let me talk about variable overwrite.

This is the background

Here I thought about the variable. If the code needs to be slightly changed, we can log on to the background without the website database,

In fact, the variable overwrites. Here we only need to replace one of common. inc. php

When it comes to the top layer, We can overwrite the variables.

What about this vulnerability, Baidu? I only want to demonstrate the process.

Overwrite the variables here.

What we need here is to rebuild a database... Then we can use it.

Log on to the background directly.

This is the end, so .....

I 've been studying this cmsfor three days, and my technology is amazing .... I couldn't find any big 0-day issue, but I also found some small problems. From the cms, they found that the programmers made great efforts to inject this item.

I sent it out as a learning process. There are some shortcomings in this article. I hope that Daniel can give some advice and help us learn more ....

If you are interested in studying 0day, you can add our group 62512676 to discover 0day and publish 0day together.

It's over 3 o'clock in the morning. If you read this article, you won't reply to it in the Forum) m chicken, m chicken ...................... ........

Haha ..... Please give me some comments as much as possible. Let's study together.

Text: Xidu