A cms foreground code execution
0x1 Vulnerability Analysis
Vulnerability file: Application / Weibo / Model / ShareModel.class.php
Vulnerability Analysis:
shareBox method ShareController controller, access to query parameters urldecode, then parse_str treatment, and then set the template variables, call display.
Controller, there are no incoming parameters $ query processing, you might be treated in the template inside, we take a look template content.
Line 9, the template variable inside the $ parse_array into Weibo / Share / fetchShare method. Here's $ parse_array carried out by our $ query parse_str process, so this value is controlled. Then take a look method call.
40 line called getInfo method, follow up to see what
Method D is an example of a custom model class, passing a param array, then calls the method to obtain the model class D after instantiation, the method specified in the call incoming to the specified parameters. So we can call on behalf of the needs of any type of model parameter passed to any method of using this method. Then we went to look for the model class can use
Look at the framework itself thinkphp model class
One way to find a sql injection can be achieved. But we can try to find ways to achieve code execution.
Find a code execution method can be implemented, the process is the need to pass two parameters, if $ val [4] = function, will get some values from $ val inside the array, call_user_func_array passed to the function, it can be achieve code execution. However, due to the two arguments, and so can not directly use, to record what followed might use this function.
After a period of time to find, we found a way to a model allows us to achieve code execution
The method is in Common \ Model \ 341 rows ScheduleModel class.
这里传入一个schedule数组然后对其中的method值进行explode,args值进行parse_str,然后又是调用了D方法实例化model,再调用方法。这里我们是可以控制调用方法第二个参数的,结合我们上面找到的_validationFieldItem方法。构造poc,就可以实现代码执行。
0x2 漏洞验证
