foreword
Some time ago, the competition used cms as a topic to investigate, and the hole in this cms was almost eaten by the big guys, so I took this opportunity to test the residual vulnerability of cms, and recorded the whole process, I would like to take this note to share my thoughts with the little white masters. If there are mistakes, I hope the big guys can correct me.
Install
Refer to the official documentation, which gives very detailed installation instructions. If you encounter problems with the installation, you can go to the official forum to find solutions. There are common installation failure problems.
https://gitee.com/iteachyou/dreamer_cms#https://gitee.com/link?target=https%3A%2F%2Fwww.iteachyou.cc%2Farticle%2F55ec2939c29147eca5bebabf19621655
The cms project is developed based on the springboot framework, and the environment required for installation is springboot+redis+mysql+ IDEA
The configuration files are mainly the two application-prd.yml and application-dev.yml. It is necessary to configure the mysql database connection, redis connection, and web page static resource path. The rest of the installation can be installed step by step above.
Visit the login page after successful installation
The administrator account password has been given, so log in directly.
Vulnerability testing
Style management template exists to edit any file to implement command execution
After testing, it is found that the background style management template can pollute the compressed package theme.json file when uploading the theme compressed package, so as to achieve directory traversal to the sensitive directory of the server, so that no detection is performed when the template management is parsed, and the sensitive file of the system can be edited arbitrarily, resulting in GetShell. Control server permissions.
The main file generated by the vulnerability: theme upload Controller file: src/main/java/cc/iteachyou/cms/controller/admin/ThemesController.java, find addthe method.
The first is to determine whether the file exists and whether the JSON parsing is correct; determine whether the Key exists; determine whether the corresponding value is empty; create a theme object; determine whether the setting path starts with "default". Finally, check whether the various configurations of the theme package are correct. If confirmed, the upload is successful.
To help you study cybersecurity, you can receive a full set of information for free:
① Mind map of cybersecurity learning and growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)
However, the directory traversal can be constructed without detecting the themePath path problem, which is also the key reason for this vulnerability.
Finally, after judging that all kinds of information in the uploaded compressed package are correct, enter the save method that processes the logic of saving the file.
In the \dreamer\dreamer-cms\templates\default_v3\theme.json file in the uploaded theme package, replace the structure of the directory traversal with the theme package path. After the change, the content of the theme.json file is as follows:
{
"themeName":"新版主题",
"themeImage":"http://localhost:8888/resource/img/dreamercms-logo.png",
"themeAuthor":"",
"themePath":"../../../../../../../../../../../../../../"//此路径要和模板文件夹的名称一致
}
Although there is detection, the themeDir has been polluted before, so it is equivalent to no detection.
Then check whether there is permission, and the startwith method is no problem.
``
The last thing is to save the file. At this time, the background template has been polluted by the structure just passed in, and can be used. The effect is as follows:
Upload the modified theme package
There will be a new theme on the style page
Click Enable. Then check the template management page and find that the directory traversal is successful and the root directory of the server is successfully entered. At this time, it is equivalent to editing and modifying files on your own server.
The test file is the 1.txt file in the /home/www directory, which was originally an empty file.
Modify the file on the page and add content
Then save it, and then check it in the server, and the content is successfully added.
If you modify the authorized_key file, you can log in without secrets, and use the incorrect compression verification to upload any dangerous files, such as a one-word Trojan horse, to obtain system permissions; you can also obtain system passwd files to obtain sensitive information, and you can also write scheduled tasks to execute commands implement.
The vulnerability analysis ends here, and the attachment management template can download and delete arbitrary files.
The attachment management template can download and delete arbitrary files.
The exploit produces the main file:
The code for adding attachment function in src/main/java/cc/iteachyou/cms/controller/admin/AttachmentController.java is as follows:
First of all, the attachment must be added first, and the attachment parameter is not filtered here. As a result, the structure of directory traversal is preserved when the attachment is saved, and after parsing it, the specified file of the server can be downloaded and deleted at will, thus posing a threat to the server.
The codes of the download and delete functions are all in the same file, and they are all passed the attachment parameter just now, and then use attachment.getFilepath() to get the server file path and parse it.
First look at the code of the download function:
The filePath variable is not filtered here, so in general, the two codes of adding attachments and downloading attachments do not detect and filter the corresponding variables, resulting in vulnerabilities.
Code for delete function:
If you delete it, there is nothing to say. It is the same principle as above. Just imagine, if you can delete the configuration file of the server at will, it is not equivalent to the rhythm of the server crashing.
The vulnerability demo is as follows:
Or use the 1.txt file in the /home/www directory just now
In the add-on module, upload a local file casually (a theme.txt file is uploaded casually here)
Burpsuite captures packets as follows
What needs to be changed is the file path corresponding to the filepath parameter, which is changed to
../../../../../../../../../../../../../home/www/1.txt
Then put the bag.
Refresh the page and observe that there is an additional theme.txt file, download it and open it as follows:
The content 193840sswwloP in /home/www/1.txt in the server has been successfully written to the local theme.txt file, and any file downloaded successfully.
To delete an effect, click Delete on the right.
It was found that the 1.txt file was deleted, and the file was deleted arbitrarily successfully.
Template management exists for arbitrary files containing
The main file that generates the vulnerability:
src/main/java/cc/iteachyou/cms/taglib/tags/IncludeTag.java
The If statement simply judges whether the value is empty, but does not detect filter characters, so that the structure of directory traversal can be passed in ../../../../../../../../../../../../../home/www/1.txtto include files and read the contents inside. Then find index_about.html in the template management
It will ../../../../../../../../../../../../../home/www/1.txtbe written into the div tag and saved, as shown in the figure below
Then visit About Us on the homepage:
It can be seen that the file inclusion is successfully carried out. If the structure is /home/www/1.txtreplaced with /etc/passwdthis type of sensitive file, the attacker will obtain key information. Here is also a test:
modify the structure
The page outputs the information in the /etc/passwd file as expected.
Summarize
The test in this article is carried out on the old version of cms. The new version has repaired the existing problems. This time, the cms vulnerability mining of the java implementation is full of harvest. Points to pay attention to in cms installation, deployment and code audit Got a good workout.