Preface:

Use this CMS to see if we can dig holes. Fortunately, we dug two holes, namely SSRF and GETSHELL. The following is to explain the thinking process of this audit. The CMS version is 4.2. The following vulnerabilities are included in CNVD.

Environment Description:

For the PHP version, use 7.0.9.

SSRF:

According to the function point directed audit, there is a collection function in the background toolbar. According to experience, this function generally exists in THE SSRF.

Start a simple HTTP service locally using python3.

Click next, and sure enough SSRF exists.

Conduct vulnerability analysis.

1, Network security learning route 2, electronic books (white hat) 3, security factory internal video 4, 100 SRC documents 5, common security comprehensive questions 6, CTF competition classic topic analysis 7, full kit 8, emergency response notes

The code location is easily located based on the request package caught by BurpSuite.

In the file upload/plugins/sys/admin/Collect php# Collect – > add, the parameters of the POST cjurl do not make security processing is passed to the $this – > caiji – > STR method.

$this->caiji-> STR (); $this->caiji-> STR ();

The solution, we can press the Shift key twice in a row directly to find.

After following the STR method, I found that the URL parameter was passed to the HTMLAll method, and continued to follow the method.

The htmlAll method uses curl to request the URL.

$this->caiji-> STR ($this->caiji-> STR))

File overwrite causes GETSHELL:

The vulnerability is found by tracing the parameter process through sensitive functions. In the upload/CSCMS/app/helpers/common_helper php# write_file using the file is written to sensitive function, with SSRF htmlall is the same file.

Ctrl + Shift + F find where call write_file, in the upload/plugins/sys/admin/plugins php# plugins – > _route_file call write_file function, Note [note[key][‘name’] and note[note[key][‘url’] are string concatenated to the contents of the file, which is a comment, we can use newline bypass.

Find out where _route_file is called, keep track of whether the value of note is controllable, and find out where the function can be called. In the upload/plugins/sys/admin/plugins php# plugins – > setting_save call _route_file, due to the function content is a little bit more, so I will it split into two interfaces, the content of the less important for closure. The red line is where the _route_file call must be set, and you can see that the value of note is picked up at the blue 3 position, where the analysis can start to reproduce.

Grab the request package using BurpSuite.

Modify the request package contents and write the constructed code. You can see that I used the %0a newline to bypass the comment.

In the upload/CSCMS/config/dance/rewrite. PHP can see write success.

To find a reference to rewrite-.php, you’ll need to sign up as a member user by clicking through the pages and eventually finding it in the music section of your personal centre.

Replay the request package captured by BurpSuite and output content successfully.

This isn’t the end of the story. When I tried to write malicious content, IT got escaped.

I tried to escape eval, shell_exec, etc., but assert was not escaped. Considering the problems with assert after PHP7, I still need to find a better way. Rather than looking at the escaped code, I succeeded in RCE using the following methods based on the dynamic nature of PHP.

Conclusion:

This code audit uses two general code audit ideas, the first one: targeted audit according to function points, the second one: sensitive function backtracking parameter process, what is not used is to read the full text of the code. Using PHPStorm makes code auditing much more efficient.