Secondary exploitation of a PhpCMS Vulnerability

The second exploitation of a PhpCMS vulnerability: Flyh4tphpCMS has always been known for its many vulnerabilities. Its 2008 version inherits the glorious tradition of previous versions and has various vulnerabilities with different levels of hazards. Next we will look at a local file inclusion vulnerability that has been supplemented in later updates. However, the exploitation method of this vulnerability is quite interesting. The vulnerability code is simple.

Secondary exploitation of a PhpCMS Vulnerability

Author: Flyh4t

PhpCMS has always been known for its many vulnerabilities. Its 2008 version inherits the glorious tradition of previous versions and has various vulnerabilities with different levels of hazards. Next we will look at a local file inclusion vulnerability that has been supplemented in later updates. However, the exploitation method of this vulnerability is quite interesting.
The vulnerability code is very simple. I believe many people can see it.

Pay/respond. php

 
 

  
  
 
  
  
Require\ './INcLude/common. inc. php \';
  
  
$ Pay_code =! EmptyEmpty($ Code )?TrIm ($ code): ""; // $ pay_code is not filtered
  
  
If(EmptyEmpty($ Pay_code ))
  
  
{
  
  
Showmessage (\ 'verification failed \');
  
  
}
  
  
ELsE 
  
  
{
  
  
$ Plugin _File=PHPCMS_ROOT. \ 'pay/include/payment/\ '. $ pay_code. \'. php \';
  
  
If(Is_file ($ plugin_file ))
  
  
{
  
  
Include_once($ Plugin_file); // local File Inclusion Vulnerability
 
 

A lot of people may find this place very bad. % 00 or a number of [//] must be used to intercept the following logs. php. ini or the system has certain requirements. In fact, this is not the case. In combination with other defects of phpcms, we can exploit the vulnerability in the local file through a second attack. Below I will provide two methods of exploitation.

 

Method 1: bypass background authentication and convert to Code Execution Vulnerability
Those who carefully read the code of phpcms2008 earlier versions should have found that (the latest version seems to have been changed), and its background login authentication is in admin. PHP file, and then use the following code to include files under the admin directory to implement other complex management functions

 
 

  
  
if(!@include PHPCMS_ROOT.(isset($M[\'path\']) ? $M[\'path\'] : \'\').\'admin/\'.$file.\'.inc.php\') showmessage("The file ./{$M[\'path\']}admin/{$file}.inc.php is not exists!"); 
 
 

To prevent non-administrator users from accessing related files in the admin directory, the following code is used at the beginning of all files in the directory for processing, and no permission authentication is performed.

 
 

  
  
 
  
  
defined(\'IN_PHPCMS\') or exit(\'Access Denied\'); 
 
 

 

With this code, we basically cannot directly access it. The constant IN_PHPCMS is defined in the file/include/common. inc. php. The Code is as follows:

 
 

  
  
 
  
  
define(\'PHPCMS_ROOT\', str_replace("\\", \'/\', substr(dirname(__FILE__), 0, -7)));  
  
  
define(\'MICROTIME_START\', microtime());  
  
  
define(\'IN_PHPCMS\', TRUE);  
 
 

 

In response to the vulnerability. PHP file. The first line contains/include/common. inc. PHP file. In this way, theoretically, we can directly use the background management function by exploiting the local file inclusion vulnerability to include files under the admin directory. However, in actual use, we also need to consider that some functions in the background file may be called admin. PHP files, so we may encounter undefined function errors, but we are lucky to avoid this problem in Phpcms. Check the Code:

Admin/template. inc. php

 
 

  
  
 
  
  
Defined (\ 'In _ PHPCMS \')OrExit (\ 'Access Denied \');
  
  
 
  
  
// Introduce the template function File
  
  
If($ Action! = \ 'Tag \ '& $ action! = \ 'Preview \')Require_once\ 'Template. func. php \';
  
  
 
  
  
// Initialize a bunch of Variables
  
  
If(! $ Forward) $ forward = HTTP_REFERER;
  
  
$ MoDuLe = isset ($ module )? $ Module: \ 'phpcms \';
  
  
$ Project = isset ($ project )? $ Project: TPL_NAME;
  
  
$ Templatedir = TPL_ROOT. $ project. \ '/\'. $ module .\'/\';
  
  
$ Projects = cache_read (\ 'name. inc. php \ ', TPL_ROOT );
  
  
// Common. inc. php already contains the cache_read file.