Shulou(Shulou.com)05/31 Report--

This article introduces how to achieve CVE-2018-19127 loophole analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

First, the background of loopholes

Recently, the National Information Security vulnerability sharing platform (CNVD) issued the latest security announcement, the PHPCMS 2008 version of / type.php remote GetShell 0day exploit attack, the attacker exploits this vulnerability, remote code injection, can be unauthorized, to the site path controllable cache file to write arbitrary content, and then it is possible to implant a backdoor on the target website to achieve unauthorized A series of serious problems such as remote command execution attack on the target website. This vulnerability was first captured by Aliyun Security.

Second, vulnerability summary who should read the impact of this PHPCMS 2008 developer and user vulnerability mainly uses / type.php to construct payload to achieve high risk of arbitrary file writing. It is recommended to upgrade to the latest official version. PHPCMS2008SP4 version of the affected software and the following CVE identifier CVE-2018-19127. 3. Build the environment

Install the version of PHPCMS2008 within the scope of the vulnerability.

IV. Trigger conditions

Check that the version number of the PHPCMS is the affected version.

V. loophole analysis

First of all, after analyzing the type.php in the phpcms directory, it is found that type.php contains the template variable, and the template variable can be controlled by the user by passing in parameters. At the same time, you can see that the variable is then passed into the template () method. The template () method is defined in the / include/global.func.php file and contains the following code:

The $template variable is fully controllable here, and automatic refresh of the template cache is enabled by default. When the template variable is entered as

Template=tag_ () {}; @ unlink (FILE); assert ($_ POST [1]); {/ /.. / rss, $compiledtplfile= "data/cache_template/phpcmstag () {}; @ unlink (FILE); assert ($_ POST [1]); {/ /.. / rss.tpl.php". At this point, you can naturally enter the judgment and call the template_compile function, and the secondary function is defined in include/template.func.php.

In the templatecompile function, the $template variable is controllable, while the $content variable will naturally choose the former when our input is "template=tag () {}; @ unlink (FILE); assert ($_ POST [1]); {/ /.. / rss", while the $template variable in the content content is controllable, and finally the file_put_contents function is written into arbitrary code. Note that the file_put_contents path is data/cache_template/phpcmstag () {}; @ unlink (FILE). Assert ($_ POST [1]); when {/ /.. / rss.tpl.php, php resolves its path to data/cache_template/rss.tpl.php.

VI. Suggestions for restoration

Temporary resolution can filter template variables in the / type.php file to prevent user input containing symbols such as "(", "{" and so on from being mixed in, and treated as paths and script content.

PHPCMS 2008 is no longer officially maintained, it is recommended to upgrade to a version above 2008 (including PHPCMS V9, etc.): http://www.phpcms.cn/v9/.

On how to achieve CVE-2018-19127 vulnerability analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.