前言
感觉自己还是对php审计有点不懂,遂找了个cms复现了一下几个类型的洞,本人小白一个,大佬请绕道嘻嘻。
正文
小插曲:首先源码拉下来本地搭建的时候死活不行,后来看了index发现,原来判断了install下是否存在install.lock防止重装,而源码拉下来的时候就已经存在install.lock了。
有些是参考的,有的没有查到相关的只能自己硬着头皮找了。
第一处:sqli
进后台随便点点,看下这请求,
GET /tuzicms-master/index.php/Manage/Download/index/id/11 HTTP/1.1
这路由各位师傅们应该都懂了。
在App/Manage/Controller/AdvertController.class.php中
image
id直接进行了拼接,验证:
image
数据库用户信息:
image
后面发现很多controller中都是用id=$id写的,便全局搜索:
image
发现有20多个,去相关漏洞信息库上搜索了一下,发现也确实有这么多的提交。
image
然后全局搜索:
<pre style="padding: 16px; font: 12.75px / 1.6 Consolas, "Liberation Mono", Menlo, Courier, monospace; color: rgb(51, 51, 51); border-radius: 3px; display: block; margin: 0px; word-break: normal; overflow-wrap: normal; white-space: pre-wrap; background-color: rgb(247, 247, 247); border: 1px solid rgba(0, 0, 0, 0.15); box-sizing: border-box; overflow: auto;">_fe
</pre>
image
发现是一个设置分页配置信息的:
<pre style="padding: 16px; font: 12.75px / 1.6 Consolas, "Liberation Mono", Menlo, Courier, monospace; color: rgb(51, 51, 51); border-radius: 3px; display: block; margin: 0px; word-break: normal; overflow-wrap: normal; white-space: pre-wrap; background-color: rgb(247, 247, 247); border: 1px solid rgba(0, 0, 0, 0.15); box-sizing: border-box; overflow: auto;">public function do_fenye() {
//**判断是否有限权,显示登录管理员信息
_SESSION['id'];
//dump(m=D('Admin');
m->find(
arr=
arr);
//exit;
if (this->error('你不是超级管理员,没有限权!');
}
//exit;
//定义配置文件的路径
setfile);
// exit;
//文章模型分页参数
cache_index=array(
'PAGE_ARTICLE__HOME' => $arr,
);
cache_index_ok=array_merge(
cache_index_post);
//产品模型分页参数
cache_group=array(
'PAGE_PRODUCT__HOME' => $arr,
);
cache_group_ok=array_merge(
cache_group_post);
//图片模型分页参数
cache_detail=array(
'PAGE_PHOTO__HOME' => $arr,
);
cache_detail_ok=array_merge(
cache_detail_post);
//下载模型分页参数
download_detail=array(
'PAGE_DOWNLOAD__HOME' => $arr,
);
download_detail_ok=array_merge(
download_detail_post);
//将配置文件的结构列出来,然后把要修改的参数用变量代替,执行覆盖操作即可。
c as
v){
key."'=>".$v.",\n";
}
foreach(key=>
settingstr.= "\n\t'".
v."',\n";
}
foreach(key=>
settingstr.= "\n\t'".
v."',\n";
}
foreach(key=>
settingstr.= "\n\t'".
v."',\n";
}
foreach(key=>
settingstr.= "\n\t'".
v."',\n";
}
$settingstr.="\n);\n?>\n";
// dump($settingstr);
// exit;
if (file_put_contents(settingstr)){//通过file_put_contents保存setting.config.php文件
this->error('修改失败,请修改要更改文件的权限!');
}
}
</pre>
可以看到后面存在了很多拼接,通过](https://xzfile.aliyuncs.com/media/upload/picture/20220201150632-7c190fb2-832d-1.png) 看第一个配置: [](https://xzfile.aliyuncs.com/media/upload/picture/20220201150730-9f2b5334-832d-1.png) 实际上就是post一个 PAGE_ARTICLE__HOME, 通过C()获取的](https://math.jianshu.com/math?formula=setfile%3DCONF_PATH.%22config_fenye.php%22%3B%E5%8F%91%E7%8E%B0%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E4%B8%BA%20%5B!%5Bimage%5D(https%3A%2F%2Fupload-images.jianshu.io%2Fupload_images%2F27712517-db58c00eb7e32de3.png%3FimageMogr2%2Fauto-orient%2Fstrip%257CimageView2%2F2%2Fw%2F1240)%5D(https%3A%2F%2Fxzfile.aliyuncs.com%2Fmedia%2Fupload%2Fpicture%2F20220201150632-7c190fb2-832d-1.png)%20%E7%9C%8B%E7%AC%AC%E4%B8%80%E4%B8%AA%E9%85%8D%E7%BD%AE%EF%BC%9A%20%5B!%5Bimage%5D(https%3A%2F%2Fupload-images.jianshu.io%2Fupload_images%2F27712517-9b8b7d23eb1404ad.png%3FimageMogr2%2Fauto-orient%2Fstrip%257CimageView2%2F2%2Fw%2F1240)%5D(https%3A%2F%2Fxzfile.aliyuncs.com%2Fmedia%2Fupload%2Fpicture%2F20220201150730-9f2b5334-832d-1.png)%20%E5%AE%9E%E9%99%85%E4%B8%8A%E5%B0%B1%E6%98%AFpost%E4%B8%80%E4%B8%AA%20PAGE_ARTICLE__HOME%EF%BC%8C%20%E9%80%9A%E8%BF%87C()%E8%8E%B7%E5%8F%96%E7%9A%84)
arr被array_merge覆盖了
再看I():
image
获取传递的变量,其中有个$filter,没有指定一般是默认,
image
搜索一下:
image
这两个htmlspecialchars,strip_tags对'的效果:
image
因此可以闭合来写shell:
image
image
image
直接拼接,没什么好说的
image
第四处前台反射xss
payload:
GET index.php/article/group/id/2/" onmouseover=alert(/xss/) /
image
一般这种大概流程就是输入-数据库-返回-调用模板-解析-返回前台(理解比较浅显),然后调试跟踪到返回url赋值的地方:
image
前面是APP拼接,值已经是:
image
再往回走发现,APP在这里定义:
image
那往回看PHP_FILE
<pre style="padding: 16px; font: 12.75px / 1.6 Consolas, "Liberation Mono", Menlo, Courier, monospace; color: rgb(51, 51, 51); border-radius: 3px; display: block; margin: 0px; word-break: normal; overflow-wrap: normal; white-space: pre-wrap; background-color: rgb(247, 247, 247); border: 1px solid rgba(0, 0, 0, 0.15); box-sizing: border-box; overflow: auto;">if(!defined('APP')){
urlMode == URL_COMPAT ){// 兼容模式判断
define('PHP_FILE',PHP_FILE.'?'.urlMode == URL_REWRITE ) {
url == '/' ||
url = '';
define('PHP_FILE',$url);
}else {
define('PHP_FILE',PHP_FILE);
}
</pre>
image
发现直接通过
![_SERVER['SCRIPT_NAME']来定义 而一开始 [](https://xzfile.aliyuncs.com/media/upload/picture/20220202104253-d201492c-83d1-1.png) SCRIPT_NAME的就已经包含payload了,百度搜索了一波,发现 [](https://math.jianshu.com/math?formula=_SERVER%5B'SCRIPT_NAME'%5D%E6%9D%A5%E5%AE%9A%E4%B9%89%20%E8%80%8C%E4%B8%80%E5%BC%80%E5%A7%8B%20%5B!%5Bimage%5D(https%3A%2F%2Fupload-images.jianshu.io%2Fupload_images%2F27712517-c67d109b83917649.png%3FimageMogr2%2Fauto-orient%2Fstrip%257CimageView2%2F2%2Fw%2F1240)%5D(https%3A%2F%2Fxzfile.aliyuncs.com%2Fmedia%2Fupload%2Fpicture%2F20220202104253-d201492c-83d1-1.png)%20SCRIPT_NAME%E7%9A%84%E5%B0%B1%E5%B7%B2%E7%BB%8F%E5%8C%85%E5%90%ABpayload%E4%BA%86%EF%BC%8C%E7%99%BE%E5%BA%A6%E6%90%9C%E7%B4%A2%E4%BA%86%E4%B8%80%E6%B3%A2%EF%BC%8C%E5%8F%91%E7%8E%B0%20%5B)
_SERVER[SCRIPT_NAME]变量可值注入恶意代码](https://www.freebuf.com/articles/web/166263.html "$_SERVER[SCRIPT_NAME]变量可值注入恶意代码")这个xss大概分析了一下,感谢,又学到了。
网友评论