V7.5 Profile Writing Vulnerability Analysis of Empire CMS
I. Vulnerability Description
This vulnerability is due to the fact that the user‘s input is not strictly filtered when installing the program, resulting in the user’s input controllable parameters being written to the configuration file, resulting in arbitrary code execution vulnerabilities.
II. Reproduction of loopholes
1. The location of the vulnerability is as follows. The phome_table prefix is not strictly filtered, which results in the attacker constructing malicious code.
2. Locate the location of the vulnerability and find that in / e/install/index.php, the table name prefix phome_ can be seen in the following figure, which gives the mydbtbpre parameter to obtain the table name prefix.
3. Full-text search, $mydbtbpre, and then follow-up parameter transfer, found that the user’s front-end input table prefix was replaced and then brought into the SQL statement for table creation, during which there was no strict filtering of the data from the front-end.
4. Write configuration data and user-controlled table prefixes to config.php configuration file while creating tables
5. Through the code analysis of the whole install process, it can be found that no user data is filtered, resulting in configuration file code writing.
5.1. Burp grabs the page where the vulnerability exists, modifies the value of the phome parameter, and constructs payload. The payload is as follows:
5.2. Enter a specially constructed payload in the value of the phome parameter in burp
6. Check the config.php configuration file and find that the configuration file was written successfully.
7. Visit the page at the end of installation again, http://192.168.10.171/empirecms/e/install/index.php?Enews=moddata&f=4&ok=1&defaultdata=1
8. Construct a special payload getshell
9. Vegetable knife connection, successful getshell