PHP CMS code audit actual combat, RCE, SQL injection, arbitrary file deletion, arbitrary file upload.
Point a praise! now
Daily open fOFA, confirm the target, right click to check the page source code. I can’t confirm which CMS is the one without the copyright information. After determining the eigenvalue, I fofa(this will greatly improve the record of finding the source code), searched around and found what seems to be an official demo site.
Collect three subdomain names
Check out the source address provided by the project on the Open Source information page.
V1 repeated installation overwrites the configuration file, causing RCE
The CMS uses a lower version of the mysQL_connect syntax. Here I use PHP 5.4.45, after the setup will not automatically jump to the installation page. You can only jump to /install/ manually.
After a normal installation, I refreshed the page. The installation options page is displayed again, and you can install again. Start analyzing the source code.
Look at the source code is installed detection. But I can’t find this file. There is no source folder in the directory.
When the parameter is retrieved, it simply removes the preceding and following null characters. Procedures such as disinfection have not been validated (nor will they be).
The entire configuration file content is defined in the $config_contents variable (
< span style = “max-width: 100%; clear: both; min-height: 1em;
I’m going to start with the database name $dbname, the server connection address, the user name of the database, the password is not good to use special characters, and the database will check if it exists and if it doesn’t exist, it will create, but you can’t use special characters to create the database.
Unless the database name is enclosed in backquotes
create datab ase \`datab ase name\`; create datab ase \`test'1\`;Copy the codePrepare a remote mysql server and create a database with a special name. Then reinstall the site
CREATE DATAb ase `'.e val($_GET\[333\])//`;
Copy the code
The installation is successful.
The page opens with the _mkdir() method undefined
Luckily, the _mkdir() call comes after e val.
Jump to defining the function and copy the syntax of the function definition. You don’t have to copy the function content
Content is as follows
function _mkdir($dir,$mode=0777){}; system('whoami');Copy the code
V2 Arbitrary file deletion vulnerability + installation of overwriting configuration files causes RCE
Configuration file overwriting causes RCE
An error was reported when the page was first opened. Lost config.php blind guess is not installed so the file was not generated.
Manually jump to /install/, this time there is installation detection. To install the lock file, delete the lock file in the install directory
Open /install/index.php, and write_config() is the function to write configuration. Still, there was no filtration or disinfection. Unlike V1, it doesn’t use string concatenation this time. Instead, the directory of the configuration file was changed to /ERP/Config/ config.php.
Take a look at the file template /install/data/config.php, albeit with replacement characters. But there is no verification of disinfection and other procedures. There are still problems
Also, the database creation statement at line 111 of /install/index.php is backquoted and can be executed successfully by typing special characters. There is no need to prepare the database in advance
Delete the /install/lock file and try the installation to verify the vulnerability
Executed successfully with the same payload as V1
If there is a way to remove the /install/lock file, unconditional RCE can be done
Arbitrary file deletion vulnerability
Global search unlink from this upload.class.php, you can see just concatenated a. It’s not./, so it’s not limiting the path.
Follow the _REQUEST() method, which is convenient enough… If there is no data in GET, GET data in POST.
The unlink_file() method is still not validated, and the file is deleted by unlink()
The dir_replace() method just fixes the directory separator.
Attempted to access index.php/Upload/upload_img_remove/. Unauthorized access exists. Error reported because unable to delete.,
Combination of RCE
Access/index. PHP/Upload/upload_img_remove /? Imgfile =/install/lock, the /install/lock file was deleted successfully
Access /install/ again. The installation page is displayed.
Install the site again with the same database name as V1. But this time you don’t need to create it yourself.
Success.
(V1, V2)SQL injection vulnerability (same database abstraction class)
The entire CMS, SQL statements, and parameters are almost all concatenated with strings. And is to get the parameters directly after the splicing. There is no verification of disinfection and other procedures.
Framk/Datab ase.class.php->Datab ase->findAll();
It can be pierced directly with SQLMap. Passwords are stored in clear text.
(V1, V2) Unauthorized access to any file upload vulnerability (same base class) ·
Global search move_uploaded_file discovered, Crm/Action/Upload. Class. PHP – > Upload – > upload_img_save (). He separated the filename from the suffix without validating it. Instead, regenerate the file name and concatenate the original file suffix. $pictype on line 121 is also not validated.
PHP /Upload/upload_img_save/ to write the HTML for us
Upload phpInfo () and give it a try. The path is displayed after the upload is successful
Successful resolution
