0x00 环境准备

大米CMS官网：http://www.damicms.com

网站源码版本：大米CMS_V5.5.3试用版(更新时间：2017-04-15)

程序源码下载：http://www.damicms.com/downes/dami.rar

测试网站首页：

0x01 代码分析

1、漏洞文件位置：/Admin/Lib/Action/ConfigAction.class.php 第213-225行：

$config_file = "./Public/Config/config.ini.php";
$fp = fopen($config_file,"r");
$configStr = fread($fp,filesize($config_file));
fclose($fp);
$configStr = preg_replace("/'MAIL_TRADE'=>.*.,/","'MAIL_TRADE'=>".htmlspecialchars($_POST['MAIL_TRADE']).",",$configStr);
$configStr = preg_replace("/'MAIL_SMTP_SERVER'=>'.*'/","'MAIL_SMTP_SERVER'=>'".(string)$_POST['MAIL_SMTP_SERVER']."'",$configStr);
$configStr = preg_replace("/'MAIL_FROM'=>'.*'/","'MAIL_FROM'=>'".htmlspecialchars($_POST['MAIL_FROM'])."'",$configStr);
if(C('MAIL_PASSSWORD') != $_POST['MAIL_PASSSWORD']){$configStr = preg_replace("/'MAIL_PASSSWORD'=>'.*'/","'MAIL_PASSSWORD'=>'".dami_encrypt($_POST['MAIL_PASSSWORD'])."'",$configStr);}
$configStr = preg_replace("/'MAIL_TOADMIN'=>'.*'/","'MAIL_TOADMIN'=>'".htmlspecialchars($_POST['MAIL_TOADMIN'])."'",$configStr);

10. $configStr = preg_replace("/'MAIL_PORT'=>.*.,/","'MAIL_PORT'=>".htmlspecialchars($_POST['MAIL_PORT']).",",$configStr);

11. $fp = fopen($config_file,"w") or die("<script>alert('写入配置失败，请检查安装目录/Public/Config/config.ini.php是否可写入！');history.go(-1);</script>");

12. fwrite($fp,$configStr);

13. fclose($fp);

这段函数中，首先读取配置文件，然后通过正则匹配字符串，最后写入配置中。我们可以看到MAIL_TRADE、MAIL_FROM、MAIL_TOADMIN、MAIL_PORT等参数是用通过htmlspecialchars函数处理，MAIL_PASSSWORD是经过加密处理的，然后写入配置文件的。唯独只有一个MAIL_SMTP_SERVER参数是没有任何处理的，直接写入配置文件的。攻击者可以构造脚本代码写入配置文件，从而导致程序在实现上存在代码执行漏洞，攻击者可利用该漏洞获取敏感信息。最后控制网站服务器权限