Foreword This week using the evening time, looked at wuzhicMS, the CMS seems to have stopped more, source code on the official website to Baidu network disk address, bring local set up audit, share, welcome teachers to guide.
1. Leak of sensitive informationA link can be attached directly to the background.
1, 200 copies of many out-of-print e-books have not been bought 2, 30G security factory inside the video materials 3, 100 copies of SRC documents 4, common security comprehensive questions 5, CTF contest classic topic analysis 6, the full kit 7, emergency response notes 8, network security learning route
-
WWW \ API \ sms_check PHP:
Pass the parameter param to $code and concatenate it directly into the SQL statement, resulting in sqli:
-
Coreframe \ app \ promote \ admin \ index in PHP:
Get $keywords and concatenate them directly into the SQL statement, resulting in sqLI:
3. Read and delete any files in the backgroundCoreframe \app\ Attachment \admin\index.php
Analyzing logic finds that will.. /,./,.\,.. \ Replace with empty add/end, which can be bypassed by writing more:
At the same time, it is found that the files read can be deleted, each has a delete link. Find the del method:
After obtaining the path from the URL, the ATTACHMENT_URL parameter is detected and replaced with null.
define('ATTACHMENT_URL','http://www.wuzhicmstest.com/uploadfile/'); // Attachment pathThen, without additional filtering, my_unlink is passed:
Achieve the purpose of deletion.4. This is a logical flawThe utilization method similar to zzCMS2021 seen last time can be referred to for detailsxz.aliyun.com/t/10432WWW \ API \ uc. PHP:
Any method of the UC_note class can be called by passing an argument:
You can change the user name and password, etc.5. The background rceI have been looking for this for a long time, and the reason why I haven’t given up is that I found so many before, which is not perfect without an RCE. Later, I also found that someone submitted an RCE on CNVD, but I didn’t use the method, so I had to try my best to find one. After several unsuccessful attempts, file_put_contents is done by searching globally for sensitive functions. Coreframe \app\core\libs\function\common.func.php set_cache:
Set_cache: there is a call in the member model.
Find directly get setting write cache. Use phpInfo:
Background access to this method:
After the global search found, the same use of many:
conclusionIf any master knows where else can RCE, can ask the master to lead me!
Pass the parameter param to $code and concatenate it directly into the SQL statement, resulting in sqli:
Get $keywords and concatenate them directly into the SQL statement, resulting in sqLI:
3. Read and delete any files in the backgroundCoreframe \app\ Attachment \admin\index.php
Analyzing logic finds that will.. /,./,.\,.. \ Replace with empty add/end, which can be bypassed by writing more:
At the same time, it is found that the files read can be deleted, each has a delete link. Find the del method:
After obtaining the path from the URL, the ATTACHMENT_URL parameter is detected and replaced with null.
Achieve the purpose of deletion.4. This is a logical flawThe utilization method similar to zzCMS2021 seen last time can be referred to for detailsxz.aliyun.com/t/10432WWW \ API \ uc. PHP:
Any method of the UC_note class can be called by passing an argument:
You can change the user name and password, etc.5. The background rceI have been looking for this for a long time, and the reason why I haven’t given up is that I found so many before, which is not perfect without an RCE. Later, I also found that someone submitted an RCE on CNVD, but I didn’t use the method, so I had to try my best to find one. After several unsuccessful attempts, file_put_contents is done by searching globally for sensitive functions. Coreframe \app\core\libs\function\common.func.php set_cache:
Set_cache: there is a call in the member model.
Find directly get setting write cache. Use phpInfo:
Background access to this method:
After the global search found, the same use of many:
conclusionIf any master knows where else can RCE, can ask the master to lead me!