Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insert malicious code in the installation process to get a web shell #2

Open
PassingFoam opened this issue Jul 24, 2019 · 0 comments
Open

Comments

@PassingFoam
Copy link

./upload/install.php 136-176

case 'installmodule': //执行SQL
		extract($_POST);
		$GLOBALS['dbcharset'] = $dbcharset;
		$PHP_SELF = isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : (isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME'] : $_SERVER['ORIG_PATH_INFO']);
		$rootpath = str_replace('\\','/',dirname($PHP_SELF));	
		$rootpath = substr($rootpath,0,-7);
		$rootpath = strlen($rootpath)>1 ? $rootpath : "/";	
		if($module == 'admin') {
			if ($pre != 'kf_' && (strpos($pre, "kf_") !== false)){
				echo "表前缀不能使用“{$pre}”。(禁止使用包含“kf_”但又不是“kf_”的字符,例如: 把“{$pre}”改成“".str_replace('kf_', 'ab_', $pre)."”试试)";
				exit;
			}
			if(!preg_match("/^[a-zA-Z]{1}[a-zA-Z0-9_]{2,9}+$/",$pre)){
				echo "表前缀不能使用“{$pre}”。(必须是字母加数字或下划线组成的3到10位字符串)";
				exit;
			}
			$auth_key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
			$db_config = '<?php
				$dbhost   = "'.$dbhost.'";

				$dbname   = "'.$dbname.'";

				$dbuser   = "'.$dbuser.'";

				$dbpass   = "'.$dbpass.'";

				$dbcharset = "'.str_replace("-","",$dbcharset).'";

				$pre    = "'.$pre.'";

				$KF_cookiedomain = "";

				$KF_cookiepath =  "/";

				$KF_pwdhash = "'.$auth_key.'";

				define("CHARSET","'.$dbcharset.'");
			
			?>';
			$cache_file_path =KF_ROOT_PATH. "caches/config.php";
			write_static_cache_install($cache_file_path, $db_config, 1);

it's easy to find that when we write db's config into caches/config.php,we didn't do any filtering.
What's more,we use the extract($_POST);,so we can control all variables in this page.

and this is the payload:
4
we can see the caches/config.php
5
we visit that page
6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant