Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code Injection Vulnerability can Getshell #286

Closed
c0d1007 opened this issue Jan 16, 2020 · 1 comment
Closed

Code Injection Vulnerability can Getshell #286

c0d1007 opened this issue Jan 16, 2020 · 1 comment

Comments

@c0d1007
Copy link

c0d1007 commented Jan 16, 2020

Test version

VERSION 1.9.13, RELEASE 2020/01/10

Code audit

setup.php code

Open the secure boot file setup.php,the file path is /phpwcms/setup/setup.php.Then it
include /phpwcms/setup/inc/setup.check.inc.php in line 24.

image

setup.check.inc.php code

open file /phpwcms/setup/inc/setup.check.inc.php and you can see line 35.

image

setup.func.inc.php code

tarck the function write_conf_file() in /phpwcms/setup/inc/setup.func.inc.php in line 119.

image

and in line 293,it will call function write_textfile() to write the config file in line 35.

image

image

Testing getshell

in this interface,you can input some infomation like this.

image

payload

root';phpinfo();$test='a

After completing it, click Submit.It will show some error information,but you can access like this address and you can see it run the injection code.

image

Solution

Filtering some sensitive characters.

slackero added a commit that referenced this issue Jan 17, 2020
- escape single quotes to avoid code injection
- block direct access to setup.conf.inc.php
@slackero
Copy link
Owner

Thanks, patch should solve the problem.

slackero added a commit that referenced this issue Jan 23, 2020
- escape single quotes to avoid code injection
- block direct access to setup.conf.inc.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants