Shulou(Shulou.com)05/31 Report--

This issue of the content of the editor will bring you about CMS3.X arbitrary file download vulnerabilities is how, the article is rich in content and professional perspective for everyone to analyze and describe, after reading this article, I hope you can get something.

01 introduction

RhinOS is a framework for developing websites using the latest features that provides the fastest access and management for Web portals. RhinOSCMS is very powerful for website management, with built-in modules that allow quick access to databases, xml and other resources, shopping carts, tags and parameterized files, configuration parameters, Intranet access, database sessions, email sending, CAPTCHA security systems, fast filtering, lists and details. There is an arbitrary file download vulnerability in RhinOSCMS's download.php file, through which arbitrary files can be downloaded.

02 environment building

The download address for RhinOS CMS is https://sourceforge.net/projects/rhinos/. After the download is complete, open the file and click next to complete the installation, as shown in figure 1.

Figure 1 completion of installation

Due to some coding reasons, the information after successful installation will show some garbled code, which will be displayed normally if the system is in Spanish. Then you need to modify the port in httpd.conf to port 8080 to avoid conflicts with some services of WINDOWS itself. The path of http.conf is: C:\ rhinos\ httpd\ conf\ httpd.conf. As shown in figure 2.

Figure the path where 2httpd.conf is located

Right-edit to change port 80 in the file to port 8080, as shown in figure 3.

Figure 3 modify the port

You need to restart Apache service after modifying the port, and access http://127.0.0.1:8080 after restarting the service. You can access the CMS that has been built, as shown in figure 4.

Figure 4 access after restarting the Apache service

03 vulnerability code audit

The vulnerability lies in C:\ rhinos\ demo\ admin\ php\ download.php. In line 30 of the code, you can see the path stitching operation of the file read, as shown in figure 5.

Figure 5download.php

See getParam () and find out how this method is implemented.

This function exists in: C:\ rhinos\ demo\ admin\ php\ connect.php. Line 88, as shown in figure 6.

Figure 6connect.php

This function takes the parameter "file", which can be submitted through POST or GET. The file read operation is then triggered according to line 41 shown in figure 5, and the control parameter file can become an arbitrary file read vulnerability or an arbitrary file download vulnerability.

04 loophole recurrence

Before repeating, you need to find out where to call download.php. After testing, you can download to the config.php file through this URL submission, but first you need to log in to the background. URL is as follows:

Http://127.0.0.1:8080/admin/inicio.php?include=php/download.php&name=efe.php&file=../config.php, as shown in figure 7.

Figure 7 download config.php

Of course, since it is an arbitrary file vulnerability, you can download the win.ini file under the windows directory, using URL as follows:

Http://127.0.0.1:8080/admin/inicio.php?include=php/download.php&name=efe.php&file=../../../../Windows/win.ini . After execution, you can download the file. As shown in figure 8.

Figure 8 download win.ini

05 repair suggestion

According to the previous description, we can see that the vulnerability has some harm. Vulnerabilities should be fixed, about how to fix them.

Filter point [.] Users are required not to go back to the parent directory in url.

Regularization strictly judges the format of user input parameters to ensure the accuracy of input parameters.

Put the download area outside the project path independently, and assign each URL with fixed download resources. You cannot have a unified URL for all download resources:

Http://127.0.0.1:8080/admin/inicio.php?include=php/download.php&name=efe.php&file= file name

The above is what the CMS3.X arbitrary file download vulnerability shared by Xiaobian is like. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.