QCMS V2.0 command execution and brute-force Path Vulnerability

QCMS V2.0 command execution and brute-force Path Vulnerability

QCMS is a small website management system. It has multiple structural types, including ASP + ACCESS, ASP + SQL, and PHP + MYSQL. Today, we asked our brothers to explore QCMS vulnerabilities and share with you the whole process of digging holes.

After the source code is down, an environment is built locally. Various scans, various fuzzer, and various fuzzy tests found that the apache error log contains the following information:

PHP Warning: mkdir() [function.mkdir]: Invalid argument in D:\\WWW\\system\\controller\\home.php on line 36

On the 36 lines of the system \ controller \ home. php file, there is the mkdir function for creating the directory.

The $ path variable is passed by $ thumb, So we track the $ thumb variable upwards.

We found that the initial value of $ thumb is a null string. The $ thumb value is assigned through the $ url_arr array.

The $ url_arr array is generated through the explode function. In fact, the real cause of the vulnerability lies in

$url_arr = explode('_', substr($url, 1, -4));

The Explode function splits the original URI into an Array Based on _ and stores it in $ url_arr.

Next, we take the first element of $ url_arr [1] backward as the image width;

Take the first element of $ url_arr [2] to the height of the image;

Next, judge whether $ url_arr [3] Is null and assign it to $ noWaterMark.

In other words, we must use _ to separate URLs and make $ url_arr length greater than 2. Otherwise, the program is exited directly at 404.

We set a breakpoint under line 23 and Print $ url_arr out.

When I submit http: // localhost: 8088/11 _ 11_11_11

When, the program can directly bypass 19 rows of if judgment, go down.

But directly submit the file in this way and no folder is created because $ path = dirname ($ thumb); this function does not assign a value to $ path. We print the value of $ path, check the number.

It is found that $ path is a.. what is the value of $ thumb?

We found that the value of $ thumb is 11_w1_h1_11. Let's take a look at the dirname function.

The function returns the directory name after removing the file name. OK, then we can submit such a URL to see: http: // localhost: 8088/11 _ 11_111_11/www

Delete the added var_dump code. Directly access this URL to find that the folder is successfully created.

You may ask why there is another 404 page. OK. Let's look at the code.

After the directory is created, the system checks whether the $ filename variable is a file. Let's print the file name.

We will find that the file name is assembled with the element $ url_arr subscript 0 and the file suffix.

This is a magical assembly. Let's see how I splice them.

I submitted the following url:

Http: // localhost: 8088/index_11_11 _ 11/. php

The index. php of the home page is assembled.

I submitted http: // localhost: 8088/lib/config/config_11_11 _ 11/. php

Then it is assembled into a database configuration file.

$ Filename is a file name.

Start generating the thumbnail.

Next, the program will determine whether the image size is in the predefined $ size_arr array.

If not, sorry. 404. We will print the original image size first.

The size of the image is. If it is not in the predefined array, it will not be executed down. How can we bypass it? Modify the image size. We submit the following url

Http: // localhost: 8088/lib/config/config_150_150 _ 11/. php

Bypass successfully. Execute exec to generate a thumbnail. And readfile to read files.

Exec ('convert-resize "'. $ width. 'x &'. $ height. '>"'. $ filename. ''. $ thumb .'');

The convert-resize command is used to generate thumbnails in linux. To use this command, you must first install ImageMagick. So I set up another LAMP environment. Yum-y install ImageMagick

ImageMagick installed

Then a thumbnail is generated.

Convert-resize "100x100>"/var/www/html/qcms/upload/static/upload/source/20141101/5 .png/var/www/html/qcms/upload/static /upload/source/20141101/6 .png

This command scale 5.png to 6.png of 100w.100.

While I submitted http: // localhost: 8088/lib/config/config_150_150 _ 11/. php

Then try to generate lib/config. php from the lib/config/config_w50_h50.php file.

Use lib/config/config_w50_h50.php as a thumbnail of lib/config. php.

However, a PHP file fails to generate another thumbnail file as an image. Therefore, reading the thumbnail file fails. Because the file does not exist. In Firefox, violent images may not be displayed due to errors.

In IE, the absolute path may be exposed.

I feel exec ('convert-resize "'. $ width. ''. $ height. '> "'. $ filename. ''. $ thumb. ''); and readfile ($ thumb); there should be more use value in these two aspects. I hope you can study it together.

Author: TakeDown Team vulnerability researcher MXi4oyu, Arya