Shulou(Shulou.com)05/31 Report--

phpcms2008 remote code execution vulnerability analysis and how to fix, many novices are not very clear about this, in order to help you solve this problem, the following small series will be explained in detail for everyone, there are people who need this to learn, I hope you can harvest.

phpcms2008 Remote Code Execution Vulnerability

Description:

Recently, PHPCMS2008 code injection vulnerability (CVE-2018-19127) broke out on the Internet. An attacker could exploit this vulnerability to write unauthorized Web site files. The vulnerability is classified as High. At present, the exploit principle has been made public, and the manufacturer has released a new version to fix this vulnerability.

Scope of impact:

PHPCMS2008 sp4 and below

POC github address:

https://github.com/ab1gale/phpcms-2008-CVE-2018-19127

Vulnerability analysis:

In type.php:

Contains/include/common.inc.php which registers global variables such as $_GET,$_POST, etc.

The extract function, as we all know, registers the items of an array as variables. Any variable can be registered.

Call the template function on line 30 of type.php

template function defined in global.func.php

The $template variable is fully controllable here, and the template cache is automatically refreshed by default. template=tag_(){};@unlink(FILE);assert($_POST[1]);{//../ rss,$compiledtplfile="data/cache_template/phpcmstag(){};@unlink(FILE);assert($_POST[1]);{//../ rss.tpl.php" . At this point, you can naturally enter the judgment, call the template_compile function, and the subfunction is defined in include/template.func.php

In the template compile function, the $template variable is controllable, while the $content variable is controllable when our input is "template=tag(){};@unlink(FILE);assert($_POST[1]);{//../ rss"will naturally choose the former, while the $template variable in the content is controllable. Finally, the file_put_contents function writes arbitrary code. It should be noted that the file_put_contents path is data/cache_template/phpcmstag(){};@unlink(FILE);assert($_POST[1]);

{//../ The requested URL/cache_template/rss.tpl.php was not found on this server.

To sum up:

type.php contains common.inc.php arbitrary variable registration->$template variable controllable->template function variable $template controllable->template_compile function variable $template controllable-> file_put_contents function affected by $template two parameter variables controllable, with php this function analyzes file characteristics, write a sentence to the file.

Bug fixes:

upgrade to the latest version

Did reading the above help you? If you still want to have further understanding of related knowledge or read more related articles, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.