Empire CMS (Empire CMS) v7.5 background arbitrary code execution

Time:2019-10-18

Empire CMS (Empire CMS) v7.5 background arbitrary code execution

I. vulnerability description

When the EmpireCMS 7.5 and earlier are backing up the database in the background, the database table name is not verified, and arbitrary code execution can be realized by modifying the database table name.

II. Affected version

EmpireCMS<=7.5

III. environment construction

1. Official download address: http://www.phome.net/download/

2. Put all directories and files under upload in the downloaded files into the root directory of the website.

3. Modify the php.ini configuration file. The short label must be enabled in the PHP environment, or the installation will prompt that it cannot be installed.

  

4. Set short ﹣ open ﹣ tag = on in php.ini and restart phpstudy.

  

5. Then start the installation. Refer to https://jingyan.baidu.com/article/48b37f8dcc014b1a656487c.html for the installation process.

IV. loophole recurrence

1. Check the code E / admin / EBAK / phome.php to receive the parameters passed by the backup database, and then pass them to the ebak_doebak function.

  

2. Follow up the location of the EBAK · doebak function, and you can see that the database table name is passed to the variable $tablename.

  

3. Continue to browse the code. You can see the following code. Traverse the table name and assign it to $B table and $d table. Use reppostvar function to process the table name. When $d table is spliced into $TB array, no double quotes are added to the key name.

  

4. In the process of generating config.php file, the $d_table is not processed and directly spliced into the string of the generated file, resulting in arbitrary code execution vulnerability.

  

5. Visit the background

  

6. Click the following figure in turn, and select one data table to be backed up.

  

7. Click “start backup” to grab the package and modify the value of tablename parameter.

  

8. You can see the response packets and back them up successfully.

  

9. View backed up files

  

10. Visit config.php in the backup directory, and you can see that phpinfo is executed successfully.

  

11. At this time, check the config.php file.