Closed c0d1007 closed 4 years ago
VERSION 1.9.13, RELEASE 2020/01/10
Open the secure boot file setup.php,the file path is /phpwcms/setup/setup.php.Then it include /phpwcms/setup/inc/setup.check.inc.php in line 24.
/phpwcms/setup/setup.php
/phpwcms/setup/inc/setup.check.inc.php
open file /phpwcms/setup/inc/setup.check.inc.php and you can see line 35.
tarck the function write_conf_file() in /phpwcms/setup/inc/setup.func.inc.php in line 119.
/phpwcms/setup/inc/setup.func.inc.php
and in line 293,it will call function write_textfile() to write the config file in line 35.
in this interface,you can input some infomation like this.
root';phpinfo();$test='a
After completing it, click Submit.It will show some error information,but you can access like this address and you can see it run the injection code.
Filtering some sensitive characters.
Thanks, patch should solve the problem.
Test version
VERSION 1.9.13, RELEASE 2020/01/10
Code audit
setup.php code
Open the secure boot file setup.php,the file path is
/phpwcms/setup/setup.php
.Then it include/phpwcms/setup/inc/setup.check.inc.php
in line 24.setup.check.inc.php code
open file
/phpwcms/setup/inc/setup.check.inc.php
and you can see line 35.setup.func.inc.php code
tarck the function write_conf_file() in
/phpwcms/setup/inc/setup.func.inc.php
in line 119.and in line 293,it will call function write_textfile() to write the config file in line 35.
Testing getshell
in this interface,you can input some infomation like this.
payload
After completing it, click Submit.It will show some error information,but you can access like this address and you can see it run the injection code.
Solution
Filtering some sensitive characters.