Description
-
Environment construction
Built with PHPStudy2014 (Nginx+PHP5.3) and Ray CMS1.5.
Download from http://www.gxcms.org/

Put the website source code into the website root directory, access the address installation:


-
Vulnerability code audit
The vulnerability appears in the background template management page:

Audit the page source /views/admin/tpl_add.html file, see the filename received by filename file content received by content, and then pass the data to the POST. s=Admin/Tpl/Update page processing:

Track them down? S = Admin/Tpl/Update page source/core/Lib/Action/Admin/TplAction class. PHP file, see the Update function to receive the filename and the content variables, only after receiving the two variables for judging whether it is empty, The file name and file contents are not detected with dangerous characters, and data is directly written to the file using the write_file function, which means that there is any file upload vulnerability.

-
Exploit the vulnerability
Log in to the background of the target website through admin default password admin888 or password blasting or even phishing, click template management to enter the /template/default/Home directory, select any file and click edit:

Enter the editing page, enter the php test code in the file content form, start BurpSuite tool to capture the package, and click Submit:

BurpSuite after catching the package, change the filename suffix to php, and then click Put package:

Back to the background website template management, see the successful creation of my_hot_info.php file, visit the file page to see the successful execution of php test code:

