search

slackero / phpwcms

Flexible, fast, powerful, customer, developer friendly web content management system and cms framework
http://www.phpwcms.org
GNU General Public License v2.0
92 stars 45 forks source link

Code Injection Vulnerability can Getshell #286

Closed c0d1007 closed 4 years ago

c0d1007 commented 4 years ago

Test version

VERSION 1.9.13, RELEASE 2020/01/10

Code audit

setup.php code

Open the secure boot file setup.php,the file path is /phpwcms/setup/setup.php.Then it include /phpwcms/setup/inc/setup.check.inc.php in line 24.

image

setup.check.inc.php code

open file /phpwcms/setup/inc/setup.check.inc.php and you can see line 35.

image

setup.func.inc.php code

tarck the function write_conf_file() in /phpwcms/setup/inc/setup.func.inc.php in line 119.

image

and in line 293,it will call function write_textfile() to write the config file in line 35.

image

image

Testing getshell

in this interface,you can input some infomation like this.

image

payload

root';phpinfo();$test='a

After completing it, click Submit.It will show some error information,but you can access like this address and you can see it run the injection code.

image

Solution

Filtering some sensitive characters.

slackero commented 4 years ago

Thanks, patch should solve the problem.