0x01Demonstration
- Log in to the background and modify the system configuration items.
System Settings - “Basic Settings -” site name, modified to aaaaa '); phpinfo (); / * 111111111
2, refresh the page, the code has been executed
## 0x02Code analysis
The code is positioned to the function mdl_const that writes to the configuration file.
* mdl_const function.
*
* @access public
* @param mixed $str_type
* @return void
*/
function mdl_const($str_type) {
if (!fn_token('chk')) { //令牌
return array(
'rcode' => 'x030206',
);
}
$_str_content = '<?php' . PHP_EOL;
foreach ($this->arr_const[$str_type] as $_key=>$_value) {
if (is_numeric($_value)) {
$_str_content .= 'define(\'' . $_key . '\', ' . $_value . ');' . PHP_EOL;
} else {
$_str_content .= 'define(\'' . $_key . '\', \'' . rtrim(str_ireplace(PHP_EOL, '|', $_value), '/\\') . '\');' . PHP_EOL;
}
}
if ($str_type == 'base') {
$_str_content .= 'define(\'BG_SITE_SSIN\', \'' . fn_rand(6) . '\');' . PHP_EOL;
//$_str_content .= 'define(\'BG_SITE_TPL\', \'default\');' . PHP_EOL;
}
$_str_content = str_ireplace('||', '', $_str_content);
$_num_size = $this->obj_file->file_put(BG_PATH_CONFIG . 'opt_' . $str_type . '.inc.php', $_str_content);
if ($_num_size > 0) {
$_str_rcode = 'y030405';
} else {
$_str_rcode = 'x030405';
}
return array(
'rcode' => $_str_rcode,
);
}
Follow the file_put function, encapsulate file_put_contents directly into the configuration file
function file_put($str_path, $str_content) {
$this->dir_mk($str_path);
$_num_size = file_put_contents($str_path, $str_content);
return $_num_size;
}
According to the incoming $str_path, the spliced configuration file should be opt_base.inc.php
Code injection can be done as long as it is closed:
## 0x03
You can also quickly learn about the vulnerability through this link.
https://github.com/baigoStudio/baigoSSO/issues/12