骑士CMS(20141027)多个漏洞组合可致所有数据泄露+getshell

admin
admin
admin
146004
文章
119
评论
2015年7月25日07:21:03评论242 views字数 267阅读0分53秒阅读模式
摘要

2014-10-30: 细节已通知厂商并且等待厂商处理中
2014-11-03: 厂商已经确认,细节仅向厂商公开
2014-11-06: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2014-12-28: 细节向核心白帽子及相关领域专家公开
2015-01-07: 细节向普通白帽子公开
2015-01-17: 细节向实习白帽子公开
2015-01-28: 细节向公众公开

漏洞概要 关注数(22) 关注此漏洞

缺陷编号: WooYun-2014-81223

漏洞标题: 骑士CMS(20141027)多个漏洞组合可致所有数据泄露+getshell 骑士CMS(20141027)多个漏洞组合可致所有数据泄露+getshell

相关厂商: 74cms.com

漏洞作者: 龟兔赛跑

提交时间: 2014-10-30 18:47

公开时间: 2015-01-28 18:48

漏洞类型: 设计缺陷/逻辑错误

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: webshell SQL注入 逻辑错误 php源码审核 webshell webshell

6人收藏

漏洞详情

披露状态:

2014-10-30: 细节已通知厂商并且等待厂商处理中
2014-11-03: 厂商已经确认,细节仅向厂商公开
2014-11-06: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2014-12-28: 细节向核心白帽子及相关领域专家公开
2015-01-07: 细节向普通白帽子公开
2015-01-17: 细节向实习白帽子公开
2015-01-28: 细节向公众公开

简要描述:

专注挖魂。。。

74cms_v3.5.1_20141027.zip 无限制SQL注入

详细说明:

刚下了个74cms_v3.5.1_20141027.zip,diff了一下发现了下面的改动:

code 区域 
diff -Nurp upload.1020/plus/weixin.php upload.1027/plus/weixin.php
 --- upload.1020/plus/weixin.php 2014-10-18 12:14:22.000000000 +0800
 +++ upload.1027/plus/weixin.php 2014-10-25 14:45:22.000000000 +0800
 @@ -21,10 +21,10 @@ class wechatCallbackapiTest extends mysq
      }
      public function responseMsg()
      {
 -  if(!$this->checkSignature())
 -  {
 -         exit();
 -        }
 +  // if(!$this->checkSignature())
 +  // {
 +  //        exit();
 +  //       }
    $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
    if (!empty($postStr))
    {

注释调了checkSignature(),是为了啥?????

http://**.**.**.**/bugs/wooyun-2014-075009曾经分析过这里的XXE漏洞以及SQLI,不过,被次利用的是另外两个BUG。

先看code.

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }
code 区域 
$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);

对整个POST_DATA做了addslashes。

code 区域 
$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;

然后:

code 区域 
$usinfo = $this->get_user_info($fromUsername);
 ===>
 $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");

$fromUsername从simplexml_load_string()后就直接进入了SQL中,addslashes($GLOBALS["HTTP_RAW_POST_DATA"])就解决了所有问题么?答案是否定的。因为XML中特殊字符也可以编码:

code 区域 
特殊字符 特殊含义 实体编码
 > 开始标记 >
 < 结束标记 &lt;
 " 引号 &quot;
 ' 撇号 &apos;
 & 和号 &amp;

也就是说在XML中使用&apos就把'号注入进去了,并且这里post data没有任何过滤,可以注入任何SQL语句,所以我们可以导出整个数据库,甚至getshell.

看到下面的代码,也许有人会说,这里是有条件的,因为这里判断了$_CFG['weixin_apiopen']=='0')。

code 区域 
if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }

不过,这里的$_CFG['weixin_apiopen']真的有效么?下面的代码可以告诉我们:

code 区域 
<?php
 
 $_CFG = 0;
 
 class Test {
     function myprint() {
         echo "$_CFG in class=" . $_CFG;
     }
 }
 
 echo "in file =" . $_CFG;
 $tt = new Test();
 $tt->myprint();
 
 ?>

在浏览器访问一下**.**.**.**:8081/74cms/test.php,结果为:

code 区域 
in file =0
 Notice: Undefined variable: _CFG in /var/www/html/74cms/test.php on line 7
 
 Notice: Undefined variable: _CFG in /var/www/html/74cms/test.php on line 7
 in class=

也就是在class object里面访问$_CFG是无效的。

那么,那么,

code 区域 
$_CFG['weixin_apiopen']=='0'

这个条件就是永远都不会成立的,不管你后台开不开weixin_api。

好了,所有条件限制都排除了,可以直接注入了。

一下为74cms_v3.5.1_20141027默认安装测试:

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

0

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

1

UNION SELECT:

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

2

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

3

获取支付相关的key:

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

4

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

5

错误信息里面的

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

6

就是表里面的数据。

管理员表:

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

7

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

8

getshell:

code 区域 
class wechatCallbackapiTest extends mysql
 {
  public function valid()
     {
         $echoStr = $_GET["echostr"];
         if($this->checkSignature())
   {
          exit($echoStr);
         }
     }
     public function responseMsg()
     {
   // if(!$this->checkSignature())
   // {
   //        exit();
   //       }
   $postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
   if (!empty($postStr))
   {
    // libxml_disable_entity_loader(true);
             $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
             $fromUsername = $postObj->FromUserName;
             $toUsername = $postObj->ToUserName;
             $keyword = trim($postObj->Content);
    $keyword = utf8_to_gbk($keyword);
    $keyword = addslashes($keyword);
             $time = time();
    $event = trim($postObj->Event);
    
    if ($event === "subscribe")
    {
     $word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
     $this->exit_word_message($word,$fromUsername,$toUsername,$time);   
    } 
    $default_pic=ROOT."/data/images/".DEFAULT_PIC;
    $first_pic=ROOT."/data/images/".FIRST_PIC;
 
    if($event === "CLICK"){
     if($_CFG['weixin_apiopen']=='0')
     {
      $word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
     if($postObj->EventKey=="binding"){
      $usinfo = $this->get_user_info($fromUsername);
      if(!empty($usinfo)){
       $word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
      }else{
       $word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
 ÀýÈç:ÕÅÈý/123456";
      }
      $this->exit_word_message($word,$fromUsername,$toUsername,$time);
     }
 ...
  private function get_user_info($fromUsername){
   $usinfo = array();
   $usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
   while($row = $this->fetch_array($usinfo_obj)){
    $usinfo = $row;
   }
   return $usinfo;
  }

9

返回错误:

code 区域 
$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);

0

这是因为写shell.php需要有写权限,data目录不行。

但是,但是,我们也可以找一个肯定有写权限的目录:

注册一个普通用户,长传一个头像,这是会建立0777权限的目录:'data/avatar/100/2014',shell就传到这个目录吧。

code 区域 
$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);

1

code 区域 
$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);

2

浏览器访问:

**.**.**.**:8081/74cms/data/avatar/100/2014/shell.php

骑士CMS(20141027)多个漏洞组合可致所有数据泄露+getshell

漏洞证明:

获取支付相关的key:

code 区域 
$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);

3

code 区域 
$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);

4

管理员表:

code 区域 
$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);

5

code 区域 
$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);

6

getshell:

骑士CMS(20141027)多个漏洞组合可致所有数据泄露+getshell

修复方案:

1. checkSignature()不需要了?

2. if($_CFG['weixin_apiopen']=='0') always不成立,文件最前面用:

define("APIOPEN", $_CFG['weixin_apiopen']);吧。

3. $postObj的每个元素使用前先addslashes()

4. 上传图片文件的目录不需要用0777的权限吧。

版权声明:转载请注明来源 龟兔赛跑@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-11-03 15:25

厂商回复:

感谢反馈!

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2014-10-30 19:19 | 玉林嘎 骑士CMS(20141027)多个漏洞组合可致所有数据泄露+getshell ( 普通白帽子 | Rank:941 漏洞数:108 )

    2

    shell 终于来了

  2. 2014-11-01 04:16 | h4ckhell00 ( 路人 | Rank:18 漏洞数:4 | 最温暖的两个字是什么?1、我在。2、别怕。...)

    0

    shell 终于来了

  3. 2014-11-01 07:47 | 老和尚 ( 普通白帽子 | Rank:223 漏洞数:45 )

    0

    龟兔,你拿了多少钱啊

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin