IMCAFS

Home

code audit

Posted by tzul at 2020-02-27
all

Cltphp is developed with ThinkPHP and the content management system of the layui framework is used in the background.

In the code audit, it was found that there was an XML external entity injection vulnerability in the wechat interface, and later communicated with the small partner sn00py, which he also found. There are few code instances of XML external entity injection vulnerabilities. Let's share some ideas here.

Cltphp official website: http://www.cltphp.com

Website source code version: cltphp content management system version 5.5.3

Source code download: https://gitee.com/chichu/cltphp

Default background address: http://127.0.0.1/admin/login/index.html

Default account password: background login name: admin Password: admin123

1. Vulnerability file location: line 100-133 of APP / wchat / controller / wchat.php:

In this code, the XML data is received with file_get_contents ("PHP: / / input") and then brought into the simplexml_load_string function, resulting in XML external entity injection in the implementation of the program. Then look down, how to use it?

The parsing result of XML is returned to $postobj for condition judgment. According to the value of msgtype, it is processed in different reply mechanisms. When msgtype = text, enter the msgtypetext function. Follow up this function:

2. Vulnerability file location: line 141-172 of APP / wchat / controller / wchat.php:

This function performs message reply processing, obtains $contentstr to judge whether it is an array, then carries it into function processing, and finally returns the result. Let's look at the event_key_text function:

3. Vulnerability file location: line 155-171 of extend / CLT / wchatoauth.php:

Through the sprintf function, six nodes are returned, among which tousername and fromusername are controllable. We can read arbitrary files by constructing payload, which can be used by attackers to obtain sensitive information of websites.

Read the contents of win.ini file by constructing payload

Pauload:http://127.0.0.1/wchat/wchat/getMessage.html

1.  <?xml version="1.0" encoding="utf-8"?>  

2.  <!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "file:///C:/windows/win.ini" >]>  

3.  <root><MsgType>text</MsgType> <ToUserName>&xxe; </ToUserName></root>  

Scheme 1: use the method provided by development language to disable external entities

PHP:libxml_disable_entity_loader(true);

Scheme 2: filter the keywords of XML data submitted by users: <! DOCTYPE and <! Entity, or system and public.

Bypass

About Me

A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.