Thrashed Empire CMS Administrator password

"Empire" CMS is a set of well-known PHP whole station program, is one of the most used PHPCMS programs in the country. Unfortunately, the "Empire", although the strength of the expansion, but ignored the construction of their own protection, the result of the hacker attack, the "Empire" fell. The "Empire" CMS exposes a vulnerability that allows hackers to get an administrator's account password within 1 minutes, and then make it easier to get webshell. Let's go through an intrusion detection with the "Empire" CMS.

Causes of the vulnerability:

All say security is a whole, dikes destroyed in the nest, often a seemingly indestructible website system, in some unnoticed corner of a small negligence, resulting in the entire site was hacked. "Empire" CMS is such a breach, let us first explore the problem.

The problem is in the "Empire" CMS with the message board program, because the message board function compared to the "Empire" CMS is more chicken, so very few webmaster attention to it, but the problem happens in the message board code. Because the variable filter is not strict, hackers can perform some ultra vires operation in the message board, such as reading any value in the data. Of course, to get the administrator's account and password will be a cinch.

Exploitation of vulnerabilities:

Out of Admin account name and password:

There are many sites using the "Empire" CMS, so it's easy to find the goal of testing. We directly open the "Empire" official website:, click on the navigation bar "Services" → "Some cases", here link more than 600 "Empire" CMS site, enough for us to test.

In which we select an open for testing, after the site domain name input: e/tool/gbook/?bid=1 and enter, so that the "Empire" CMS to open the message function. The steps to trigger the vulnerability are:

Step1. Enter at "name": 縗

Step2. Enter at "Contact Mailbox":, 1,1,1, (select Concat (username,0x5f,password,0x5f,rnd) from Phome_enewsuser where userid=1), 1,1,1,0,0,0)/*

Step3. " Message content "Feel free to fill in, enter and click on the" Submit "button.

If the vulnerability is successfully triggered, we will see the admin account name and password in the message list. But do not be happy too early, because the exposure of the password is through the MD5 encrypted 32-bit ciphertext, if it is meaningless to decipher.

Upload Webshell:

After we get the admin account name and password, we can login to the website backstage. After the domain name enter "e/admin/" and return, the Login Verification page appears, enter the account name admin and password to log in.

In the background we click on the "template management" → "Add custom" link. In the "Add Customization" page, we enter the Webshell file name that needs to be established in the "file name", in order to conceal, it is best to take the file name that is close to the website itself, for example listqz.php. Then in the "page content" to enter the contents of the PHP trojan, other items can be filled out, after the input is completed click "Submit". As soon as we visit: ***.com/e/admin/listqz.php This address, an exciting Webshell will appear.

Thrashed Empire CMS Administrator password