Shulou(Shulou.com)05/31 Report--

CMS from CSRF to Getshell example analysis, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Write in front of:

Recently, I am ready to take a look at the vulnerabilities related to code execution. When I visit cnvd every day, I find a vulnerability related to code execution, as shown in the following figure.

Take a look at the brief introduction of this loophole this is a relatively minority CMS, coupled with this mosaic, this is obviously a crazy hint to analyze this loophole.

Environment building:

I am using the cms1.0 + ache2.4.39+PHP Version 5.6.9, which can only use php5.x and does not support the latest version of PHP.

Stupid installation, after successful installation, as shown in the following figure.

It is clearly stated in the details of the vulnerability in CNVD that it is a vulnerability in the background, so we look directly at the code in the background. Locate the relevant file according to the hint of God code.

The content of the file is very small, and the loopholes are quite obvious.

At first, I noticed that the php code was inserted and there was no filtering.

Then check how to execute the code after the php echo function.

But I don't seem to have found a way for the echo function to execute the code. Go back to the above to take a fresh look at the code and find that the user's input has been written to a file.

After input at the front desk

Find the Ping.php file and find that it is written directly to a file without any permission verification. But some of the loopholes are input points in the background.

You can try to combine other vulnerabilities to improve the usability of this vulnerability. After going through the entire source code, we found that there are no measures to prevent CSRF vulnerabilities in this system. We can combine CSRF to make use of it.

Construct a CSRF interface

History.pushState (',', /')

Can be triggered successfully

Insert payload to execute commands directly without authorization.

To extend it, in fact, this problem belongs to the overall situation. The other two points

Here, the user's input is also saved directly to a file without any permission verification.

Repair recommendations:

1. Add random token to the packet to prevent the occurrence of CSRF vulnerabilities, which can reduce the risk to some extent.

2, do not input the input of the front-end user into the file, use the database to save.

3. In fact, this method is more "lazy", naming the generated file as a random string and ending with a txt suffix.

This is the answer to the sample analysis question of CMS from CSRF to Getshell. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.