IMCAFS

Home

share your technology and add some temperature for safety

Posted by deaguero at 2020-03-29
all

0x00 background

Recently, I got a source material, so I analyzed the source code and found many vulnerabilities. In this article, I will analyze some vulnerabilities first, and in the next chapter, I will analyze the getshell method, expecting to communicate with the masters.

0x01 vulnerability analysis

Profile write

0x00 related environment

Source code information: hdwiki-v6.0utf8-20170209 problem file: \ hdwiki-v6.0utf8-20170209 \ HDWiki \ install \ install.php vulnerability type: the address of the site where the configuration file is written to cause code execution: http://kaiyuan.hudong.com/

0x01 vulnerability analysis

The following code block is found in line 291-310 of file \ hdwiki-v6.0utf8-20170209 \ HDWiki \ install \ install.php. The incoming database connection and other information are spliced directly without security processing, and then the spliced content is written to the configuration file using fwrite function, so there is a Code Execution Vulnerability here.

The location where the code can be written is dbhost, dbuser, dbpassword, dbname, table_prefix, host. Here I directly embed the code into the host. Make the following request to write the malicious code into the configuration file. Since the configuration file does not have access rights set, it can be accessed directly in the foreground after writing.

[PHP] plain text view copy code

0x00 related environment

Source information: hdwiki-v6.0utf8-20170209 problem file: \ HDWiki \ control \ user.php vulnerability type: storage XSS injection site address: http://kaiyuan.hudong.com/

0x01 vulnerability analysis

In the file \ HDWiki \ control \ user.php, the following code blocks are found in lines 50-56. Through analysis and data tracking, it is found that $email has security problems. After receiving the value of email in line 54 and escaping the quotation marks, it enters the docheck in line 56.

Because the length of the mailbox is limited, but you can use a short domain name to break through.

[PHP] plain text view copy code

JS code will be triggered when the administrator logs in the background for user management.

1x00 relevant environment

Source information: hdwiki-v6.0utf8-20170209 problem file: \ HDWiki \ control \ doc.php vulnerability type: storage XSS injection site address: http://kaiyuan.hudong.com/

1x01 vulnerability analysis

The doedit method is found in line 413 of the file \ HDWiki \ control \ doc.php. When editing entries, the function of filtering dangerous characters can be bypassed, leading to the direct introduction of front-end code to create a storage XSS. In line 534 of the file, the stripscript method is used to handle the incoming content safely.

First register a user, then create an entry, and then edit the entry, that is, embed JS code in the content parameter. The bypass method is to add a space after the last script, and then submit.

[PHP] plain text view copy code

When users or administrators access this entry, they can execute JS scripts.

This article only analyzes some of the vulnerabilities found. There are many problems in the source code. Interested partners can dig and try it on their own. There are several ways to get shell. Let's share with you later. I'm looking forward to the exchange and discussion with the masters. The masters have better ideas and hope to exchange and discuss together. But if it's HC, please leave me alone. For exchange and study, please contact me [email] think [email protected][/email]。